SSH is much easier than X.509. Why don´t we use SSH in the browsers?
The thing I see is that we have different application domains, that somehow naturally have different demands:
- 1 Connections between devices you own
- 2 Connections between your device and someone else´s device
- 3 Application- and System-integrated solutions
- 4 Encryption and Signature as tool for the user
- 5 VOIP
SSH works great for scenario 1: It´s your own server you want to connect to, so you know, whether the key should have changed or not. SSH does not work for scenario 2, because you don´t know whether the server operator decided to renew the server-key PGP works great for 4, since the network-style keymanagement is flexible for a user that wants encryption as a tool PGP does not work that well for Scenario 3, since network-style keymanagement doesn´t scale that well for automatic integration X.509 works good for scenario 2, since a trusted third-party can tell you whether the server-public-key, and it´s efficient for that task X.509 works good for scenario 3, since it was designed to be integrated, and mostly not to be visible. VOIP has even very different demands, that are better fulfilled by Z-Phone and Skype.
But all of those systems have their drawbacks. Who verifies SSH fingerprints in practice? Who signed the people´s keys that didn´t showed up at the keysigning party? Who do you trust in X.509? What for? What about Traffic Analysis?