| Right. I'm imagining a tool that would let users impose choices such as the following: - Accept any certs trusted by Bruce Schneier unless they are not trusted by tptacec - Do not accept new certs for top 1000 domain names unless they are over 7 days old and trusted by the Mozlla Foundation Various experts could create the rules they use to decide which certs or CAs they trust and users could decide which high profile authority figures or institutions they want to trust. One example might even be "Bruce Schneier paranoid version" I think this doesn't exist because of the following: 1) technically it is possible to do it today with the existing tools, even though nobody does it 2) the negative impact of trusting certs one shouldn't is low for the average user 3) sophisticated users already take precautions and are rarely fooled I think for something like this to work it would have to be extremely simple. Surely there would be the same phenomenon as "Dr. Oz" in the realm of cyber secruity. Maybe the 'Kevin Rose settings" would be popular, etc. But that would still open the door to distributed trust which is an improvement over blanket trust of large corporate entities. |