Apr 25, 2011
User Rating of Certificate Authorities
From Adam Bray:
What is the problem this idea addresses, why does it matter?
Certificate Authorities allow organizations and individuals to prove their identity to others, however problems with such authorities persist. There needs to be more accountability to ensure their trustworthiness.
What is the goal of the idea?
Allowing users to rate and review certificate authorities would increase accountability and enable users to “watch the watchers.” This information would enable others to control what certificates their browsers and operating system trust.
How does the idea work?
The system would likely consist of three parts:
1) A website designed to educate users on how PKI (public key infrastructure) works and why it’s important.
2) A site or service allowing people to leave ratings and reviews of certificate authorities.
3) A suite of web browser plugins or stand-alone applications which would alert users when a visited site’s certificate was granted by a CA that is considered untrustworthy. Ideally, these plugins/apps would allow users to manage the default trust settings for CAs in their browser.
Implementing this idea would require the programming of the site and the plugins, as well as the creation of the educational materials. The feasibility of the browser plugins assisting with certificate management may be limited, depending on how various browsers expose this functionality, and thus may require cooperation with browser developers.
