[nailer]

Sure, but registrars would need to start doing a lot better job of checking the identity of people applying for domains, otherwise we'd just end up with domain validated certificates all over again.

As the grandparent post notes, all CAs completely automate domian validation at present.

[0x0]

My point is that regular domain validated CA should be the sole job of registrars. It would even prevent parallel certs being fraudulently issued - a domain can only be registered at one registrar at one time.

Sure, you could have the other CAs still offer EV (real-world identity) validation as a value-add.

But it's pretty silly that, currently, you have to pay a third party (today's CAs) to validate something that the registrar already knows for sure.

[kej]

The other side of that argument is that if your registrar is also your CA, they have the ability to give bogus SSL certs to an evil server and the ability to direct your domain to that evil server.

[0x0]

They can already do that, as they could temporarily hijack your NS records and buy a cert somewhere else. If you can't trust your registrar, you have bigger problems (I'd say "all is lost")

On the flipside, having a registar act as the only valid CA would mean that choosing a trustworthy registrar suddenly has real value. Power users could make an educated opinion on the trustworthyness of a given domain validated CA. Domain owners could be sure they're not at risk for how in the current system, an adversarity could get a valid parallel SSL certificate from a sloppy bargain-bin CA, even if the domain owner picked the most expensive and diligent CA and registrar for themselves.

[schoen]

A lot of folks might not have thought through the weakest-link aspect of the current system: they feel like they're safer because they chose to use a reputable or trustworthy CA. But misissuance events that I've heard of have never involved CAs that the victims had any business relationship with at all.