On 25/04/2013 08:43, Gregor Pintar wrote:
> Hello.
> [...]
>
> I think best way is not to trust any certificate authority.
> Maybe some certificate p2p protocol could be done?

Hello,

Are you aware of DANE (RFC6698, https://en.wikipedia.org/wiki/DANE) ?
It is a RFC which suggests holding certificates fingerprints in special
DNS records.
Since DNSSEC allows us to establish trust of these records, this is a
simple and robust alternative to CA-based trust models.

However, and AFAIK, it doesn't cope with entities that aren't accessed
through a hostname.


Have a good day,