> what realistic alternative choices actually exist?
Yeah, that's a problem. I certainly can't think of one. But even if there were, it would still be an enormous struggle just to shift to using it at this point. That struggle also means that there isn't a huge amount of effort being put into finding a better way.
The CA system certainly has great benefits in terms of delivering reasonable security in a relatively convenient way, but that doesn't take away from the fact that it still sucks in ton of different ways that are inherent to the idea. It also can't be used (at least not without great struggle) in some situations.
I definitely agree that there is an inertia problem, as there is with a lot of technology. But I also think changes can happen quicker than people think if new alternatives are introduced that solve fundamental problems with the entrenched solution.
Arguably this actually has happened with the legacy CA system, people just don't think of it that way because it looks like Let's Encrypt and certificate transparency instead of something involving blockchain or whatever. LE and CT were huge disruptions in the CA space and in my view fixed a lot of the problems with the CA system, even if they didn't totally get rid of it. To borrow your excellent phrasing, they made it suck in a lot fewer ways than it used to. Maybe some complete replacement could do better, but there is a lot to be said for iterative improvement of an existing solution instead of hoping for a fantasy total replacement.
Interesting that you bring up LE as an improvement of the CA system. I view it as a fairly messy hack (with its own problems) around some of the faults of the CA system. I almost brought it up as an example of some of the faults of the system.
We both see the same thing, but through different lenses. I have no point here, I just found that interesting.
Yeah, that's a problem. I certainly can't think of one. But even if there were, it would still be an enormous struggle just to shift to using it at this point. That struggle also means that there isn't a huge amount of effort being put into finding a better way.
The CA system certainly has great benefits in terms of delivering reasonable security in a relatively convenient way, but that doesn't take away from the fact that it still sucks in ton of different ways that are inherent to the idea. It also can't be used (at least not without great struggle) in some situations.