I'd wager WebTrust doesn't really care or else this wouldn't go unfixed for so long. While I appreciate this problem, I really wish we had something usable between CA-signed HTTPS and regular HTTP. We can't even have encryption on the web without paying somebody.
I'm beginning to feel like a broken record saying this, but it's possible to get a browser-recognised certificate for free, for example from http://www.startssl.com/ (yes, their web site design is straight out of 2001, but it works).
I've tried startSSL before and this is my view on that: Yeah great, unless you want to support older certificate stores that haven't been updated (any before 2006). Maybe in another 3-5 years it'll be great though.
Well, really we pay CAs for authentication, not encryption. Your computer can encrypt just fine on its own.
Most of the solutions I've seen to this problem are done in one of three ways:
1. Create better tools to monitor for abuses, ie. Google's new DNS-accessible SSL repository or Perspectives.
2. Tack on trust-on-first-use, ie. SSH or CertPatrol.
3. Make industry-specific root CAs that self-regulate, ie. a financial services CA with browser chrome that displays finance-specific info. Then the SSL observatory can play each root off eachother with comparative stats.
Except I was talking about encrypting in the browser which is a lost cause if your clients leave your site when they see "untrusted content!!!!!!!!!!!!" All your solutions are for non-HTTP traffic as far as I can tell.
Wouldn't signing `localhost` be useful in testing browsers and testing locally-running versions of websites which have signed SSL certificates? The alternative being intercepting and faking the responses from the CAs when your browser attempts to verify your localhost:8080 website? Or is there another viable, non-"master SSL off-switch" option here?
"Organizations relying on certificates for unqualified names should use their own private CA for their private namespace. For example, all those Exchange shops can use Microsoft's CA software."
