Self-Regulating SSL Certificate Authority?

bcg asks: "It has come that time again to renew some of my SSL certificates and part with substantial amounts of cash. This has got me thinking - why should we pay large amounts of cash for authorized certs when so little is done by the companies issuing them? Sure they get you to send them a copy of a business certificate but how does this prove the character of those running the SSL server? What ideas can we come up with for a self-regulating certification authority? Could we set something up along the lines of the many free DNS servers around but use it to authenticate SSL certs?" We last touched on this subject in October, when someone was searching for cheap SSL certs. We've also discussed why certs are so expensive. Why not take it one step further and discuss ways of making and authenticating our own certs for free...or as close to free as possible?

Character?

>Sure they get you to send them a copy of a >business certificate but how does this prove the >character of those running the SSL server?

They aren't supposed to be verifying your character, they verify your identity.

I've got it!

[DrFrasierCrane]

Want them cheap? Let the GOVERNMENT handle SSL certs! After all, they're already handling drivers licenses, social security numbers, and ten kazillion other things that are supposed to prove that you are you, why not just give you a cert, too? For a small government fee, of course.

Chain of trust

[juancn]

I think the issue is how we build an entity that we can all trust.

Basically the security behind SSL certificates (and all certification technologies) is that you trust the CA (the root of the certificate path).

Commercial companies are trusted because they would go out-of-business if they lost your trust. So basically you trust in the fact that they want to make money.

So here is my point, besides financing and all the other issues, how do we establish a chain of trust?