Concept says that there needs to be a triangle of belief, whereas Customers belief Issuers, Service Suppliers belief Issuers, and Customers belief Service suppliers.
However this isn’t what now we have. Browsers have lists of Issuers (Root CAs), Customers belief Browsers as they use the listing of Root CAs put in, Issuers belief Browsers as in any other case they don’t get listed, and Service Suppliers belief Browsers, as they validate the digital certificates obtained from Issuers, so now we have an inverted T like this:
To make issues worse, there isn’t a sensible mechanism for Customers to point belief between them, for Service Suppliers to point belief between them, and even for Issuers (Certificates Authorities) to point belief between them. This offers much more energy to the Browsers and the businesses that management them.
One other part of belief are IdPs, identification suppliers like Fb accounts, Google accounts, or Twitter accounts:
On account of community results and to make registration simpler, many Service Suppliers haven’t alternative however to depend on these oligopolistic hubs.
Massive Tech reaps monumental income from this centralization or belief, as they’ve visibility of most interactions between Customers and Service Suppliers and may exploit that data to their benefit.
What we want and don’t have, from a aggressive, safety and privateness viewpoint is mechanisms for Issuers, Service Suppliers and Customers to declare belief relationships between them, so now we have actual interoperability and a market of belief that may profit all contributors.
If we had these mechanisms, the position of Id Suppliers will disappear, and with it, many of the leverage that Massive Tech has to regulate our use of Web.