I’ve spoken to some very influencal people of late, one of whom happened to be Mark Shuttleworth today at the Ubuntu down under conference. He had one particular concern about control of domain certificates, and that he didn’t feel comfortable including our current root certificate at present until we either stopped issuing them under our present root (ie setup another root certificate for assured certificates, or start issuing unassured certificates from a new root), or alternatively we can just not issue them to unassured people.
Also worth mentioning that at one point webtrust certification was mentioned but he wasn’t really that concerned about it, he was more worried about the security (or insecurity) of control of domain type certificates.
This isn’t the first time that it’s been suggested that we alter how many root certs we operate and under what conditions people are allowed to issue from which certificate, at this point in time it’s a difficult decision to make and we’re looking to the community for feedback on the issue (as this will effect a lot of people no matter what happens) and what the best course of action to take is.
Comments on this are important!
* one possible solution might be to issue a new root cert signed by the current root cert (since this issue only effects server certificates) that way it should work with least amount of impact to most/all people.