> Well, we agree on the utility of having multiple PKIs. We disagree on > the need for a PKI that happens to cover a specific name space that > underlies the vast majority of IP-based communications, or at least > you disagree on the desirability of that specific PKI given the > reality of who runs which TLDs. But, you don't offer any suggestions > on how to address the need that a DNS-based PKI satisfies. I don't see it as a 'need' in that sense. If you want to increase the level of trust over the current situation, you pretty much have to either exchange keying material directly with that party, or pick a third party that *you* trust to serve as an intermediary. It's really hard to have multiple intermediaries because you need to trust them all. And just because someone runs a TLD doesn't mean that you want to trust them - it often means you should be wary of them. It really doesn't have much to do with DNS - the problem is that real trust doesn't scale to that level no matter what the naming scheme or the protocol. Keith