On 7/09/13 10:15 AM, Gregory Perry wrote:
Correct me if I am wrong, but in my humble opinion the original intent
of the DNSSEC framework was to provide for cryptographic authenticity
of the Domain Name Service, not for confidentiality (although that
would have been a bonus).
If so, then the domain owner can deliver a public key with authenticity
using the DNS. This strikes a deathblow to the CA industry. This
threat is enough for CAs to spend a significant amount of money slowing
down its development .
How much more obvious does it get  ?
 If one is a finance geek, one can even calculate how much money the
opponents are willing to spend.
 As an aside, NSA/DoD have invested significant capital in the PKI as
well. Sufficient that they will be well aligned with the CA mission,
and sufficient that they will approve of any effort to keep the CAs in
business. But this part is far less obvious.
The cryptography mailing list