[asutherland]

Also somewhat off-topic but interesting in the context of DANE and the cost of certificates. Brian Smith (a mozilla security contributor) recently said the following in a discussion about adding support for invalid/self-signed certificates to the Firefox OS e-mail app. The quote below can be found at the bottom of https://groups.google.com/d/msg/mozilla.dev.platform/lT4Mhi-... noting that I think the first TLS is meant to be TLD.

"Regarding DANE: Any TLS registry can apply to be a trust anchor in Mozilla's CA program and we'll add them if they meet our requirements. We can constrain them to issuing certificates that are trusted only for their own TLDs; we've done this with some CAs in our program already. Any CA can give away free certificates to any subset of websites (e.g. any website within a TLD). Consequently, there really isn't much different about the CA system we already have and DANE, as far as the trust model or costs are concerned."