[Cryptography] Certificates and PKI

[John Levine]

>> Is your concern that a registrar is able to modify each of the A, AAAA
>> and TLSA-records of any entrusted domain? Either voluntarily or coerced?
>
>Yes.

That's an entirely reasonable concern, since registrars take down
something like 10,000 domains a day, and the US government regularly
takes over domains that they believe are being used for criminal
activity.  (See http://www.myredbook.com/ for an example.)

On the other hand, since anyone who reads the mail at the WHOIS
contacts for a domain can get a DV certficate anyway, it's not obvious
that this observation makes things any worse than they really are.

The basic problem, which I expect everyone here understands, is that
it is expensive to verify that a name belongs to a person or other
meatspace entity, and nobody wants to pay what it actually costs.
When I got my first SSL cert 20 years ago, it cost over $100 and I had
extensive negotiations with Thawte's rep until I faxed her enough
stuff to persuade her that abuse.net was what I said it was.  Now you
can get the same cert for about $5 and a clickthrough, and within
rounding error, nobody cares.

R's,
John