Re: Huh?
You can manually add a CA if you want to, but automatically adding one to every browser in Russia is going to be a lot harder. The average citizen is going to not do that, visit a site that redirects to HTTPS, and get a browser warning.
"Anyway, TLS is pretty broken as this demonstrates."
Neither the part I answered nor the rest of your comments demonstrates this. TLS as a protocol doesn't care where the CAs are. It's fine. Even including the issue of CA governance and use, you need to demonstrate why the existing system is flawed; less centralized power might be nice, but it would also eventually weaken the ability to monitor for unsavory behavior and revoke those untrustworthy authorities, something browser-makers frequently do. Requiring every site to issue a key and find lots of others to cosign it will not be done by many sites, putting users at greater risk.
Biting the hand that feeds IT
