And it all goes to show...
... what a shell game CA certification is. It's a security shakedown with false security imbued onto a site from a CA that nobody has ever heard of and is potentially rogue. It's only slightly better than nothing that browser vendors remove a CA after the fact.
IMO sites should be allowed to protect themselves with any cert, even a self signed one (*). A site can still pay for a CA signature if they want (e.g. if the CA audits the business in some meaningful way). But they should also be allowed to sign their cert with keys from other people or businesses their site has a professional relationship with. e.g. if my site is for an accountancy firm, why not allow the site to be signed by the Institute of Chartered Accountants and some other meaningful signatories?
I'm sure a browser could figure some simple way to present this info with a traffic light style information system.
* - A self signed cert is still better than plaintext and is perfectly adequate for a lot of web content. Especially when the site owner can set the thing to expire for a duration that suits them, not the CA's revenue model. Ah but what about man in the middle attacks? Well plaintext doesn't help there either but at least self-signed stops snooping. And services like SSL lighthouse can check for MITM attacks when the cert for a site appears to change for one visit / visitor compared to another.
Biting the hand that feeds IT
