John C Klensin wrote: >With the understanding that it has failed often enough to bring >the whole CA system into disgrace as well helping to motivate >X.509 changes to allow noting levels of authentication, there is >at least some moral responsibility on the issuers of certs (for >web sites or otherwise) to verify identity. There is, in >general, no such obligation on DNS registrars. I'm confused by this text. The letsencrypt CA that is about to go live in a couple of months will issue certificates automatically to any piece of software that can prove control over a domain. How is that different from DNSSEC? The most common type of certificate used by the websites I visit is domain validated, which is exactly: this cert is issued to whoever controls the domain. Nothing about identity, etc. Then there are extended validation certificates which are supposed to be issued only after verifying the identity of the requesting party. But those are pretty rare.