Comment by h4xar
11 years ago
You mention that the revocation-check problem is old, which is certainly true, but I think you allude to the possibility that a domain-registry-based hierarchy will exacerbate that problem in the form of an increase in revocation checks. I'm not sure that would be the case; it should be about the same. What difference does it make if I owned a domain, got a cert from a CA, and stopped owning the domain -- vs -- got that cert from my registrar? If anything this helps the process, because my registrar knows when I stop owning the domain whereas a CA has no clue and relies on the cert's expiration date exclusively.
I guess you're right - I was considering the fact that someone once owned a domain was a threat, but it is already.
But with a delegated chain of certs, the problem does get worse - not least because you'd require individual domains to manage their own certificate revocation.
But since there's basically no secure way to obtain CRLs or perform OCSP cert validation, it's kind of moot.