• @MajorHavoc@programming.dev
    link
    fedilink
    English
    7
    edit-2
    5 months ago

    I would love to see the certificate authority model become less and less important.

    “Can you write a small check to an organization we are all pretty sure isn’t outright malicious?”

    Is a surprisingly good pragmatic protection against malicious SSL certificates, I will admit.

    But there’s significant flaws with the approach - notably power dynamics and creation of large scary targets for bad actors.

    I would love to see CA acceptance move from PASS/FAIL to a dynamic risk score, that is based on my own browsing behavior (calculated solely within my browser).

    If I spend 90% of my time browsing domains at example(dot)mycorporation(dot)com, there’s a great chance that anything new signed by the same authorities can be automatically trusted.

    It would still put a lot of power in the hands of Amazon and Google, but would reduce that power in scale to the amount of services they’re actually providing to each user.