It seems like you're talking past each other here. >The registry do keep track of which ones of the registrars can make changes, so not every registrar >(i.e. intermediary) can become "trusted". That's certainly true, and auth codes make it fairly hard to move a domain from one registrar to another without inside help from whoever reads the registrant's e-mail. On the other hand, there are over 2100 registars in ICANN's list, and even after accounting for 300 that are Namebright and another 300 that are Netsol, and so forth, there's probably close to a thousand of them, some of which take security more seriously than others. There are certainly registrars who will accept names that are obvious phishes, there are registrars that can be socially engineered to reset accounts (I did that once, but it was for a virtuous reason), and so forth. Making life even more confusing, while most registries and registrars strictly limit registrations to anyone whose credit card isn't rejected, there are a few that make more or less credible attempts to validate that registrants are who they claim to be. The sTLDs like .aero, .travel, .coop and .jobs make some effort to verify that registrants are members of the relevant community, although the checks have gotten pretty perfunctory as the money failed to roll in. (I can tell you about .aero and .travel.) The .pro domain was supposed to be for licensed professional doctors, lawyers, accountants, and engineers, but a combination of financial problems and registrar gimmickry made the checks ever feebler until last month they gave up and now it's purely generic. The .coop domain checks that you're a co-op when you register, but never checks again. One time I noticed that the registrant for chicken.coop had sold out and wasn't a co-op any more. I told the .coop registry, and its head personally thanked me and asked me to tell her about any other misregistrations I noticed. Uh, OK. In the latest round, .ngo/.ong is making a reasonable attempt to verify that applicants really are NGOs and that the domain name is related to the organization name. I have talked to someone from Encirca who is working with .bank to do something similar. It's too early to find out whether they'll stick with it as their business models fail, but even if they do persist, there's no DANE version of a green bar certificate so it's not clear how much good it will really do. R's, John