for the moment there are hundreds of them - businesses who claim that they can give a certificate to anyone about anyone (printing their money in fact)
no industry or economy can exist when everybody can print its own money and than has to proof to everyone that his money is really worth something
compare it with our identity in the real world
it is the state who gives you - based upon records - a card that states that you are who you say you are and people trust that card because it has been given by the state (enough). Imagine that everyone may start making passports.
in the present internetworld it is impossible to establish a seperate certificate authority for each country (and this wouldn't mean it would be more safe because some countries don't even have a state to speak of or one that you can't trust or where the records are something that has to be made up yet or is not even worth the paper it uses)
so we will be stuck with the few big Certificate Authorities and the hundreds of smaller operations who claim they are one. They will have to give you that proof that you are on the web who you say you are and that your business is really on that server and that the server in question belongs really to the hoster where you say it is (and not on a hacked server in russia for example)
the problem today is that the big brothers and sisters (the top 5 or 10 of the CA, the business leaders) don't talk enough with each other and are more afraid of each other than they should be. They should understand however that they (the big ones) are the first who will get much more business when the whole CA sector will have to implement stricter procedures, will be audited and when the sector will have to pay for a whole set of cooperative organisations who will be responsable for for example tracking the security threats and incidents, do the anonymized cross-checking of their certificates (to verify that they correspond to the rules and have the same quality of information and that there are no dubious doubles) and will safeguard the necessary technical information about the installations so that the CA's don't have to publicize that precious information themselves to all of you (including the hackers who love that kind of information)
the big brothers and sisters of the CA industry should meet soon and should talk like the creditcard companies did when fraud was becoming a direct threat to their online-business and even the trust in their creditcards themselves. They established the PCI which is not perfect but it is a beginning and the CA has for the moment nothing of a kind.
this meeting between the big CA's will be highlevel poker and it will be difficult to have some level of trust between them but they have an unique once-in-a-lifetime opportunity to establish themselves as the main powerbase of the certificate business who can be trusted because they have the same stringent security and controlprocedures and because they have established organisations for their member-CA's for coordinating the new and permanent security threats.
It will cost money to comply and to become member and to be certified (and to able for example to participate in offers from public instances and big corporations) but the result will be that the small businesses who thought that it was a way to earn money without investing much it will be the end of their amateuristic CA existence. Their security cost will be higher than their revenue because their certificates are too cheap or because they sell too few of them or they don't have the additional business services that make the real big money roll in. And even if they continue to exist there will come a day that browsers will refuse their certificates as automatically trusted or that securitywarnings will pop-up because the CA is not certified as secure, which would make their certificates worthless.
It will also make it much more difficult for
* webservices to use their own home-made certificates for free or to make only certificates for the domains and not for their subdomains, for the programcode but not the add-ons, for the website but not the forms on it and so on. In fact home-made certificates will be killed by the browsers and the insecurity instincts that after the latest incidents have been created with the public
* hosters and other businesses who were selling their own certificates as some side-kick will understand quickly that the costs will continue to increase while their risks have increased enormously because they will be the lower hanging attractive fruit for the hackers. They will understand that they can do it more easily by allying themselves with one of the big CA's without having to install expensive hardware and software on their own network - (it can all be done through seperated lines and infrastructure which is encrypted from end to end and which is seperated with the other internal processes from the CA providers where a manual control or audit transfers the demands for certificates from the external environment to the internal one).
An advantage for the big CA's will be that they can have local offices in many countries so that it will be easier and cheaper to double-check the authenticity of information and to develop even more personalised certified information services. I want to buy something online but I want to know if that firm really exists ? Who are you gonna call ? If they have for example an Ebay-seller-certificate it would be easier (just one example of new business that could be developed).
the 16th september all the CA businesses will have to respond to a whole list of questions from Firefox who wants more guarantees
the one remark I totally agree with is that certificates for important international webservices like Google and facebook should never NEVER been given by ANY machine and should always be controlled manually.
I would even go a bit further and would say that this should also be the case for domainnames. Domainnames with trademarked names of important webservices and financial services in it should never, under no excuse whatsoever be used except if it is totally clear that it is not a business site. (like for example Ihatevisa.com or mastercardsucks.com but for examply mymastercard.bz should always be under the control of mastercard)
this would make it for phishers a bit more difficult and re-enforce trust but I agree that this is another matter
meanwhile I would like to hope that the big CA's will meet soon and take some hard but necessary decisions that may change the future of the internet and re-establish trust, because honestly, are those hundred trusted certificate rootservices equal and should they all be trusted equally. After reading the Diginotar report it is clear that this is absolutely not the case.