On keys and users

DNSSEC appeals to me because we already have to trust the domain name system. If your domain is deregistered for any reason, your communication fails whether you have secured your domain or not.

The only third party you need to trust is your TLD (which you have to trust anyway, see above). For people under .com I understand your concerns but there are other TLDs and trust is not delegated between them except for the root, and it is impractical to deregister the TLD when a few individual domains is questionable.

The important thing here is that a mischevious registrar can only sabotage domains registered with them, whereas a trusted CA is normally completely trusted to sign anything in the global root. That difference alone is worth it, in my opinion.

That also sums up my criticism against Marlinspike's article. He concludes that DNSSEC is not impervious to attacks, which should be trivially true, but ignores the fact that it is lightyears ahead of what be have today.

What is mean that proving identity is hard is only that as far as I know only governments have succeeded doing in on the large scale required here. That most transactions are anonymous may be true but does not help us when we need to do secure transactions. Private CAs has proven to be a failure so far. Our choices are then between a large intergovernmental CA system (in effect delegating trust along the country TLDs) or to put our trust in DNSSEC. I would prefer the latter.