[geofft]

Not sure if you're directing that at me or the parent comment - my position is definitely that Verisign should not be trusted with certificate signing authority over .com. The comment I'm replying to seems to advocate Verisign (and nobody else) being able to issue microsoft.com certs, which I think is a bad idea.

[tialaramex]

If Microsoft is comfortable with microsoft.com despite the .com registry being appallingly run I don't see any problem with that, just as I wouldn't see any problem with Microsoft choosing to open a Microsoft store in the almost-abandoned decaying mall at the far edge of town whose only other tenants are a discount furniture store and a company that sells only a single item and never has any customers.

It's a mistake to separate out the certificate signing authority for different attention if it would be (as in DNSSEC) hierarchically constrained. Verisign can already screw up badly enough to cause Microsoft to lose control of microsoft.com or let somebody else have it. They've apparently decided they're comfortable with their capacity to mitigate that risk. Fine.