Theodore Ts'o wrote:
One of the reasons why the bogus Diginotar certificates were detected
was because Google Chrome had a feature called "certificate pinning"
--- which is not a feature normally associated with PKI's.
It has nothing to do with PKI, because security key is directly
shared end to end.
It is a simple public key cryptography without PKI.
It's
unfortunately not all that scalable,
End to end security is inevitably not scalable.
The challenge
is coming up with a solution that *is* more scalable,
There is no royal road in secure communication.
Masataka Ohta