>From those perspectives, a registrar or registry who might >collude with a criminal registrant to create deliberately >deceptive names and associated registration data (or whose >procedures allow similar results without explicit collusion) is >fully as much part of the threat model as a CA that issues >certificates without any attempt to verify the identity of the >entity being certified or who colludes in deliberately hiding or >distorting the information. As far as I can tell, we don't have a good word to describe what DNSSEC does. It's "the entity sending you these RRs is the same one that set up the signature chain." You can be quite certain that it's the same entity that provided those RRs the last time you asked, but unless you have some external knowledge about the policies of the entities at higher levels in the chain, you have no assurance about its offline identity. In that regard it's not unlike the current reality of CAs. Some of them still try to verify through external sources that an entity is who it says it is, others like StartSSL only check that you can get mail at the WHOIS contact address, so you're probably the entity that registered the domain. Some of the existing contracted TLDs are supposed to verify that registrants have specific offline characteristics. As the proud registrant of airinfo.aero and airinfo.travel, I can assure you that they don't. Some of the new TLDs claim they will have similar restrictions, e.g., only actual banks in .BANK, but I'm not sanguine. Given the arguments over .WINE and .VIN, I can see I'm not the only one. This is not particularly an ICANN problem -- many ccTLDs are just as bad. R's, John