I don't know which one was first, but I wish they would cooperate to establish a standard protocol for notaries.
The model of notaries that observe SSL certificates from multiple points in the internet seems greatly superior and ultimately more trustworthy than the CA model to me. It's not perfect, but it solves the most common man-in-the-middle scenarios and is potentially extensible to become even more robust.
Perspectives/Convergence really is a great system, but it unfortunately still has several problems:
- it completely leaks your browsing history: you basically ask a notary "what's the certificate you see for kinkyneighbors.com?". Convergence addresses this, though
- it requires network-heavy intermediaries for all the browsing of all the people around the world.
- it still doesn't solve authenticity: an attacker could very well be controlling all connections arriving at your house, or leaving the target's server, and fool everyone
Convergence/Perspectives should be coupled with certificate pinning, aka storing _really_ trusted authorities (ie verified by hand) on your computer. Guess what ? [Moxie's next project is just that [0]
(For anyone curious, I highly recommend Moxie's talk [1] about Convergence, it does a great job at explaining what's the problem, what's Convergence and how it can solve at least part of it)
Convergence is a great idea, but, sadly, the project appears to be dead. The last commit to the repo was 2 years ago, and (as far as I know) the Firefox plugin has been broken for a very long time.
We (Qualys) are running several notaries and are part of the default configuration, and we're seeing very little traffic.
