Sure, if "making the DNS totally unreliable", "baking 1990s crypto into the core of the Internet", and "conceding the CA PKI to world governments" is your idea of "better use of CAs".
> "conceding the CA PKI to world governments" is your idea of "better use of CAs".
How much different is this than the current CA situation? Just recently a subordinate CA of ANSSI (the French Network and Information Security Agency) issued a wildcard cert that could MITM just about anything.[^1] Firefox's list of trusted CAs includes:[^2]
China Internet Network Information Center (CNNIC)
Government of France
Government of Hong Kong (SAR), Hongkong Post
Government of Japan, Ministry of Internal Affairs and Communications
Government of Spain, Autoritat de Certificació de la Comunitat Valenciana (ACCV)
Government of Spain (CAV), Izenpe S.A.
Government of The Netherlands, PKIoverheid
Government of Taiwan, Government Root Certification Authority (GRCA)
Government of Turkey, Kamu Sertifikasyon Merkezi (Kamu SM)
Hong Kong
Firefox's list of pending CAs includes additional government CAs.[^3] Things are no different in Redmond. There are at least 56 government CAs (56 of the certs start with government probably others with less obvious names) in Microsoft's Root Certificate Program.[^4]
That was my point, too: the theorized system already exists. I'm definitely not advocating its use.
Ultimately, the URL bar needs to go away. More fundamentally, the asymmetric relationship between very large organizations that authenticate their identity with browser CA certs, and individuals who authenticate their identity with passwords needs to change.
Cryptographically generated addressing schemes like Telehash can do the automate-able stuff better than the current CA situation. The problem (and solution) I'm struggling to articulate involves the fact that granular authorization systems and trust databases need better UI before we can really fix this.
I suspect cheaper hardware tokens will play a significant role.
