[lifeisstillgood]

But the certificate is (supposed) to say we have verified that this person / organisation exists and is "allowed" this domain.

Now if we extend the idea of every business or even human having their own (sub)-domain (lots of good benefits there) then we are in the territory of ensuring the CA's track you from birth - that's what governments do, and boy are they expensive.

I think what I am saying is we either have CA we can trust or we dump the whole thing and go to web of trust

[tokenizerrr]

That ship has sailed years ago. And now we have EV certificates to deal with that problem.

[schoen]

For the time being, it's DNS registrars who define who is allowed particular domain names, and DV CAs just try to draw the connection between what the registrars have said and the server you're visiting at a particular moment.