[tialaramex]

> Verisign (who still manages .com, but who was too incompetent to run a CA and sold it to people who have been hard at work trying to clean up the mess)

The Verisign CA function was sold to Symantec. That name might ring a bell too, because with these CAs set to be distrusted as a result of Symantec's mismanagement the whole business was again sold to DigiCert in 2017.

I think the perverse part of your reasoning is that you think .com is trustworthy now. It's one of the worst run registries. Its popularity with businesses probably tells you more about how scammy most businesses are than whether .com is trustworthy, and not very much about either.

[geofft]

Not sure if you're directing that at me or the parent comment - my position is definitely that Verisign should not be trusted with certificate signing authority over .com. The comment I'm replying to seems to advocate Verisign (and nobody else) being able to issue microsoft.com certs, which I think is a bad idea.

[tialaramex]

If Microsoft is comfortable with microsoft.com despite the .com registry being appallingly run I don't see any problem with that, just as I wouldn't see any problem with Microsoft choosing to open a Microsoft store in the almost-abandoned decaying mall at the far edge of town whose only other tenants are a discount furniture store and a company that sells only a single item and never has any customers.

It's a mistake to separate out the certificate signing authority for different attention if it would be (as in DNSSEC) hierarchically constrained. Verisign can already screw up badly enough to cause Microsoft to lose control of microsoft.com or let somebody else have it. They've apparently decided they're comfortable with their capacity to mitigate that risk. Fine.