Moxie Marlinspike's Solution To the SSL CA Problem

Trevelyan writes "In his Blackhat talk on the past and future of SSL (YouTube video) Moxie Marlinspike explains the problems of SSL today, and the history of how it came to be so. He then goes on to not only propose a solution, but he's implemented it as well: Convergence. It will let you turn off all those untrustable CAs in you browser and still safely use HTTPS. It even works with self-signed certificates. You still need to trust someone, but not forever like CAs. The system has 'Notaries,' which you can ask anonymously for their view on a certificate's authenticity. You can pool Notaries for a consensus, and add/remove them at any time."

Re:Notaries...

[Tribaal_ch]

You don't really need to: You are expected to have more than one notary, so you will only trust the certificate if a majority of your notaries say it's legit. It's actually user-settable: a certificate is considered valid if a "majority say yes" or "at least one say yes" or "consensus is required". Having many notaries reduces the probability of MITM attacks, since the paths from notaries to target certificates are multiple, it's very improbable to MITM all of them at once.