On Sat, Dec 26, 2015 at 10:11:31PM -0500, John C Klensin wrote: > And even that equation tends to be complicated by the > observation that the trust relationship, as far as certification > of identity is concerned, is with the registrars (and, in some > cases, their agents and resellers) rather than with the > registries. At that point, the number of trusted intermediaries > gets back toward order 40 or 100, not one, unless the question > is "do you control this domain" rather than "are you who you say > you are". It hasn't been "are you who say you are" for quite some time, not the vast majority of certificates. EV certificates are rather rare with the exception of some of largest sites. Certainly the "Let's Encrypt" CA will not do anything resembling "are you who you say you are". Once the question does boils down to whether the party requesting the certificate controls the domain (rather than the "brand"), the only party with an authoritative answer to that question is the registrar on record for the domain. Provided the domain is registrar-locked, DNSSEC gets one about as much confidence as one can get in answer to this more modest question. The party who authorized the DS records via the registrar has administrative control over the domain's DNS and thus can delegate authority over any keys published at and below the zone apex. This is certainly not a solution to phishing and the like, but it can provide useful keying material for application protocols. -- Viktor.