On 27 Dec 2015, at 4:11, John C Klensin wrote: > At that point, the number of trusted intermediaries > gets back toward order 40 or 100, not one, unless the question > is "do you control this domain" rather than "are you who you say > you are". It is not that bad as the domain in question is bound to one and only one registrar, which is a mapping that the registry is keeping track of. It is not the case that any registrar can do any change to any domain name. So, with todays CA system, any CA can sign a cert with any domain name in the CN. With the DNS and DNSSEC, only registries in the hierarchy from the root can publish the DS, and only one registrar can pass the DS to the parent for publication. Patrik
Attachment:
signature.asc
Description: OpenPGP digital signature