[belorn]

You said that registrars won't implement transparency logging, but certificate transparency was not created by certificate authoritative. Google added it to chrome, and they could just as easy add it to their own public resolver.

[tptacek]

And then what happens? Google stops resolving .COM names? I don't think you've thought this through all the way.

[belorn]

"If Comodo knowingly misissues a Google Mail certificate, Google will nuke them from orbit" - tptacek

If Verisign knowingly missuses .com root certificate, Google could nuke them from orbit by making it public. That is the whole purpose of certificate logs. Verisign operate on trust and they are also certificate authority.

The damage to Verisign if they lost their status as certificate authority and as a trusted company would create so much fallout I am doubtful that ICANN and DNS would be left without major scars.

I don't think you've thought this through all the way.

[tptacek]

That's not at all what "nuke from orbit" means. Google broke Thawte and Verisign. They didn't simply "make it public". Thank you for clarifying this; I could have been clearer. I think the distinction between what's possible in CT and DANE is much more obvious now.