> sites could specify which authorities are or are not allowed to sign their SSL and TLS certificates
This idea actually sounds fantastic. If I only ever buy my certificates from one or two CAs and if I can disallow certificates signed by other CAs, I won't have to worry about some random CA getting hacked and millions of fake certs being trusted by browsers.
Implementing this scheme, on the other hand, will be tricky. If I use a DNS record to specify my trusted CAs, sort of like how we do SPF nowadays, anyone who can hijack DNS queries will also be able to forge that record. Proper DNS security must be provided before this measure can be made effective.
This idea actually sounds fantastic. If I only ever buy my certificates from one or two CAs and if I can disallow certificates signed by other CAs, I won't have to worry about some random CA getting hacked and millions of fake certs being trusted by browsers.
Implementing this scheme, on the other hand, will be tricky. If I use a DNS record to specify my trusted CAs, sort of like how we do SPF nowadays, anyone who can hijack DNS queries will also be able to forge that record. Proper DNS security must be provided before this measure can be made effective.