On Thu, Aug 23, 2012 at 01:37, Justin N. Lindberg wrote: > So why isn't there a good way for an end user to strictly limit trust > in, for example, a "Google Internet Authority" to those domains that > are actually owned by Google, and conversely, not to trust any other > authority to sign certs for domains owned by Google?
The people designing the protocol never got that far. Anyway the workaround du jour is certificate pinning. Your browser is supposed to remember the cert used for the previous connection and warn if it changes, which reduces the window of opportunity.
