* DNS-based Authentication of Named Entities (DANE) + DNSSEC
* Tack.io
For various reasons listed in [1] Convergence is not likely to be implemented (by default) in major browsers.
On DANE + DNSSEC, where the cert is authenticated via the information published in your DNS, Moxie Marlinspike has said it better then I can:
"CAs are sketchy, but this is a whole new world of sketchiness. Think,
sketchasaurus. Registrars were never built or selected with security in mind,
and most of them don’t have a very good track record in this area. Shouldn’t it
be laughable that the current first step in deploying DNSSEC is to create an
account with GoDaddy?"[2]
The 2011 BlackHat video[3] and blog post[2] by Moxie Marlinspike are great sources of information.
IMO, Tack.io is the most viable solution. It's compatible with the current model but removes the thread of one CA being able to compromise all domains.
Registrar's are trusted. They can change the DNS records for your domain to point at their servers, allowing them to intercept email. That's sufficient to allow them to get certificates issued for your domain through some providers.
The issue is that it doesn't solve anything. We merely shift (more) responsibility to registrars and NICs. You can change (untrust) registrars I suppose but if you have a .com you'll have to trust Verisign _forever_. Well, at least as long as they operate the .com tld. So if Verisign loses your trust, there is even less you can do than today.
Last time Convergence was crapping out when using private (or otherwise unreachable) IPs - kind of makes sense, but still dissapointing. Will check out tack.io and CurveCP, cheers for the suggestions.
There's also CurveCP (http://curvecp.org/) which is a more radical alternative (replaces TCP and relies on DNSCurve, a DNS replacement) but has good security built in by default and some interesting features (remote users are identified by their public key so they can reconnect from different IP addresses and the stream keeps going without a reconnect).
It seems like a much harder thing to get adoption going for but it has good thought behind it and can exist in parallel with the rest of the TCP/IP world. I would love to see it get to a place where you can just download it from Debian or Homebrew...
I've been using CurveCP for over a year privately and love it. I'll probably expand to production, starting with CurveHTTP, with the next release of NaCl. Not sure if that makes me the chicken or the egg.
There's DANE [1], which uses DNSSEC to authenticate TLS certificates. Chrome supports (or at least supported) something very similar but Chome-specific [2]. The code to support DANE in Chrome apparently exists but I don't know if it's actually available to use. [3]
