[jcase]

Some developments in this area are:

* Convergence.io

* DNS-based Authentication of Named Entities (DANE) + DNSSEC

* Tack.io

For various reasons listed in [1] Convergence is not likely to be implemented (by default) in major browsers.

On DANE + DNSSEC, where the cert is authenticated via the information published in your DNS, Moxie Marlinspike has said it better then I can:

    "CAs are sketchy, but this is a whole new world of sketchiness. Think,
    sketchasaurus. Registrars were never built or selected with security in mind,
    and most of them don’t have a very good track record in this area. Shouldn’t it
    be laughable that the current first step in deploying DNSSEC is to create an
    account with GoDaddy?"[2]

The 2011 BlackHat video[3] and blog post[2] by Moxie Marlinspike are great sources of information.

IMO, Tack.io is the most viable solution. It's compatible with the current model but removes the thread of one CA being able to compromise all domains.

[1] http://www.imperialviolet.org/2011/09/07/convergence.html

[2] http://www.thoughtcrime.org/blog/ssl-and-the-future-of-authe...

[3] http://www.youtube.com/watch?v=Z7Wl2FW2TcA

[richardwhiuk]

Registrar's are trusted. They can change the DNS records for your domain to point at their servers, allowing them to intercept email. That's sufficient to allow them to get certificates issued for your domain through some providers.

[jcase]

For domain validated certs, certainly.

The issue is that it doesn't solve anything. We merely shift (more) responsibility to registrars and NICs. You can change (untrust) registrars I suppose but if you have a .com you'll have to trust Verisign _forever_. Well, at least as long as they operate the .com tld. So if Verisign loses your trust, there is even less you can do than today.