[jimktrains2]

> SSL makes man-in-the-middle attacks all too easy. Every owner of root certificates that is certificate authorities, secret services and big Internet providers can intervene between user and server to intercept confidential information or even manipulate it.

This problem doesn't go away with DNS (in fact without DNS-Sec it's as good as a self-signed cert) and with DNSSec, state actors/root delegates can still act maliciously.

Granted, I still think it's a better option than the current CA system, it just doesn't magically make certain kind of attacks go away.