Following the discussion at the Radboud University on the future of authenticating websites, I lead a similar discussion at TNO. This again lead to many remarks and suggestions, many of which were also raised in Nijmegen. But a few new observations were made as well.
User centricity should not mean that users are burdened unnecessarily. The best security is transparent to the user. However, as trust is a matter of choice, users should be given this choice, explicitly. That’s what user-centricity is about in this context (so the requirement should probably be called “users have a choice”.
The scope of a CA should be limited. CA’s should be bound (externally) to certain domains. It should not be possible for a German CA to sign for Dutch domains. Similarly, Dutch certificates for Iranian or .com domains should not be accepted as genuine.
A single point of failure should not exist. Perhaps two-factor authentication (similar to the fixed fingerprints encoded in Chrome that were used to detect the fraud with the certificates in Iran) can be used universally. For extra security, you should be able to “phone the cloud” to request a fingerprint corresponding to the certificate for a high risk website.
The solution should be stateless. This has two advantages: the system is by default location independent. Moreover, the system is less prone to errors, either through crashes or through malicious attacks, on the local user machine.