I think the traditional concepts of CAs has showed again and again that it does not work. Yet cryptography is worthless if you can't validate who you are talking with. I would propose a system where multiple parties could sign the SSL-certificate and these would be shown as badges in the browser. The more badges the more trustworthy.
Say for example that you have an online store. Then the local tax-office could sign your certificate if you are a registered company in that country. If you have a contract with VISA, they could sign your certificate. The authority for your top-domain could also sign the certificate to prove you own the domain and so on.
And for a customer buying from this store, seeing these badges in the browser would let them decide how trustworthy the website is. I actually think with this solution getting the users to understand would be the least problem. The big problem would be to get developers to authenticate the certificates while doing back-end calls. I mean how many developers even does this today?
Say for example that you have an online store. Then the local tax-office could sign your certificate if you are a registered company in that country. If you have a contract with VISA, they could sign your certificate. The authority for your top-domain could also sign the certificate to prove you own the domain and so on.
And for a customer buying from this store, seeing these badges in the browser would let them decide how trustworthy the website is. I actually think with this solution getting the users to understand would be the least problem. The big problem would be to get developers to authenticate the certificates while doing back-end calls. I mean how many developers even does this today?