Reading the following article got me to thinking about a VLS-like service for the web.
I have a basic sketch of an idea and thought this might be a good place to flesh it out.
An HTTPY URI is the same as an HTTPS URI, except that in place of the domain name is the hash of the server's public key. For example, https://www.waterken.com/products.html becomes httpy://3AA43D308E0E7EB1B5A5BBA082AB4E83762C92D8/products.html. (The public key hash could also be encoded in a base64 encoding as in E's cap URIs).
When the user clicks on an HTML anchor that has an HTTPY href, the browser passes the URL to its HTTPY protocol handler. This protocol handler contacts an SLS (Site Location Service, like E's Vat Location Service) server, and sends it a location request for the public key hash. The SLS server responds with an IP address and a DNS-style hostname. The protocol handler then initiates an HTTPS connection with this IP address and hostname. In the server certificate authentication stage of the SSL protocol, the HTTPY protocol handler ignores any signing information on the server's certificate, using instead the key hash contained in the HTTPY URI. If the HTTPS connection fails, then the HTTPY protocol handler attempts an HTTP connection. In this case, no authentication is done, so the user should be notified with an alert dialog.
On the server side, the web server can't tell the difference between a client using DNS/PKI and one using HTTPY. All it takes is a frisky web admin willing to submit the site's public key hash, IP address and hostname to an SLS. Since you're not modifying the site in any way, the boss will never notice. It has to be the web admin, since you'd have to prove knowledge of the private key corresponding to the public key hash in order for the SLS to accept the entry.
On the client side, the "only" thing you need to do is add the HTTPY protocol handler, and a configuration dialog for setting up SLS servers. Theoretically, it should be easy to add this to Mozilla. I say theoretically, since I wonder if AOL might nix the idea. They nixed the "turn off banner adds" option, so nixing a "disintermediate Network Solutions and VeriSign" option might fit their profile. Getting the protocol handler added to IE might prove impossible, at least at first. I imagine there's some money flowing between MS and VeriSign. Perhaps getting it into Mozilla would be enough of a kick-start.
New sites can add themselves to an SLS by just generating their own self signed key pair and submitting the public key hash, IP address and "any damned hostname they feel like" to an SLS. Anyone freedom minded can run an SLS on their server. No admin, no fees.
So long as a site's HTML is mostly done with relative URLs, there shouldn't be many editing changes needed. Once cleaned up, the same HTML works with both HTTPY and HTTPS.
Some open questions: