Are Some CAs Too Big To Fail?

Trailrunner7 writes "In the wake of this weekend's revelations of the seriousness of the attack on certificate authority DigiNotar, security experts have renewed criticism of the Internet's digital certificate infrastructure, with some wondering if larger certificate authorities (CAs) might be too big to fail. Would Mozilla and Microsoft and Google have revoked trust in root certificates from VeriSign or Thawte had they been compromised? Unlikely. 'It's not a simple matter of removing certificates from a database, because they're not in any databases,' says researcher Moxie Marlinspike, who presented an alternative approach to the current SSL infrastructure last month at DEFCON. 'We may never track them all down.'"

Marlinspike's approach

[AceJohnny]

Marlinspike's approach, implemented in a Firefox extension presented at DefCon '11, is to do away with the notion of CAs altogether in SSL, replacing it with a distributed network that reports on the certificate they see. Basically, if the certificate you see agrees with the rest of the network, then you're not being spoofed.

He had previously explained the properties a replacement to the CA system had to demonstrate in order to be viable