> A modest, realistic ambition for a DNS-based PKI would be to improve > the security of the binding between DNS entries and the associated > machines yes, I think this is right. it eliminates some kinds of threats. but it still doesn't guarantee that you're talking to the service you think you're talking to. and that's a difficult distinction to communicate to users. that and putting this much trust in the registries makes them very attractive targets. Keith