The point I'm trying to make is that the CA trust problem has been known for quite a long time now (although it's only recently arrived in the hivemind).

Sure, there's a lot of research being done to find the Next Great Thing (tm), but how about a short/mid-term emphasis on shoring up the glaring problems in the existing technologies first? Tighten the number of default CAs, shore up bad SSL and TLS code, tighten default settings in client software.

Things like Chrome popping up warnings about self-signed, expired, or invalid certs may have been a great start, but nobody's really tidying up much on the server end, so the end effect is that the users blindly click through the Chrome warnings.

TL;DR: The Next Big Thing (tm) is going to be great, I'm sure, but how about fixing/tightening existing configurations in the mean time?

You and I are saying exactly the same thing. TACK, for instance, doesn't replace the CA system; it creates a vehicle by which browsers can pin certificates on the fly, the way Chrome already pins certificates for certain web properties, which creates a key-continuity system without changing browser UI or the protocol as it is run between browsers and servers.

You and I might also agree: browsers make it too easy to click through the bad-cert warnings. It used to be a trendy thing to argue on HN that these warnings were entirely pointless and should be done away with, which, of course, would have done grievous harm to security above the harm already done by the click- click-click- you're- done UX browsers have already established here.

I disagree with the list he uses, I would have said that most developers and many sysadmins trust CAs. The point is that, no, the phrase "nobody trusts CAs" is wrong, many people trust CAs.

In fact I think that so many people trust CAs that if someone provides a more secure alternative it should look like an evolution of CAs so it doesn't piss off people who have been trusting CAs all this time.