Comment 117 for bug 232340

Part of what is requested in comment #104 already exists. For each CA certificate, you can indicate any combination of use: authenticating Web sites, authenticating and encrypting E-mail, and authenticating software distributors.

I don't know if the overall standard for certificates supports degrees of trust. If not, then the requested capability would require software implementation within Firefox, Thunderbird, and SeaMonkey. It would also require an exercise of judgement relative to the trustworthiness of a certificate for which there is no published standard.

For degrees of trust relative to E-mail, you might consider using PGP. PGP allows two levels of validity: valid (you know that the key belongs to the asserted owner) and invalid (you don't know whether the key belongs to the asserted owner -- not that the key is bad, only that you don't know). Also, PGP allows three levels of trust: trusted (a signature by that key on another key is as good as your own signature), partially trusted (you need the signature of at least one other partially trusted key), and untrusted (you ignore signatures from that key). Note that these levels are part of the design of the PGP software (and likely other products conforming to RFC 2440 such as GPG) and not inherent in the keys themselves.

I'm not sure that requiring each CA to obtain the signatures of other CAs would work. The CAs are in competition with each other and would likely either decline to sign a competitor's certificate or charge an exhobitant fee. Since such signatures expire, this would be an ongoing point of contention whereby a dominant CA could actually drive smaller competitors out of business. It certainly would keep non-profit CAs (e.g., CACert) out of the market.