Comment StartSSL, DANE, Perspectives (Score 1) 70
The whole concept of a certifying authority is fundamentally broken.
Broken by StartSSL, which provides personal use certificates without charge.
Sites should be able to use unsigned keys for basic encryption.
They can. They just have to find some out-of-band way to get their keys onto visitors' machines in order to circumvent a MITM-from-day-one attack. This could involve DANE, which puts keys and certificates in DNSSEC. Or it could involve the Perspectives extension for Firefox, which verifies a site's certificate through diverse Internet routes between the site and notary servers whose certificates are delivered in a browser extension package signed by the browser vendor.
Just like with PGP.
I have my own problems with PGP's assumption of transitive trust. Just because you can vouch for someone's identity doesn't mean you can vouch for that person's ability to correctly vouch for others' identities.