Hard stuff? All the registrar is doing here is taking a request from a CA and sending it to a user. The user sends back a reply and the registrar passes it along to the CA.

The current regime puts all the "hard stuff" on DNS and BGP (yikes). Instead you could put the "hard stuff" on an HTTP POST over a TLS connection.

The registrar already needed basic account security because otherwise anyone can just compromise the registrar account for a domain, change the authoritative DNS, and own the certs that way. If they do end up increasing their security at all, this is a good thing to protect the domain owners. If they don't increase security at all, we're back where we were before, but without the DNS and BGP vectors.

I'm curious about why this is so, since I've had other discussions about trying to increase registrars' role in certificate verification and issuance, and other people also expressed the idea that registrars weren't really up to the task. But doesn't all DV always essentially treat the registrars' view of domain control as axiomatic? How would it make things worse to involve them more proactively?

When we change the role from passive to active we also significantly change the effect of incompetence and laziness, which are ordinary human traits we should expect to find everywhere and most especially in organisations with no public oversight like the registrars.

Peter's scheme involves a tremendous number of these delegated requests going out every day. Doubtless the vast majority will be legitimate. For all those the lazy (but incompetent) solution is to short circuit between Step 3 and Step 6. Everything appears to work exactly as you'd hope, indeed it's better and more reliable than you might expect. Right up until bad guys realise there's a short circuit.

We know Certificate Authorities, which actually do have oversight and are required to keep proper records and so on, have repeatedly got this sort of thing wrong, short circuiting essential validation steps and not realising because the happy path worked. We should expect it to be _at least as bad_ and probably much worse with registrars.

Hence, as I said, at best a side step.

It's also a huge pile of work. To do this you need to get all the registrars on board, or at least so very many that you can declare the others "unsupported" and cease issuance for their domains without a significant backlash. I would be _astonished_ if anyone can put together a working system, deploy it to all/most registrars and so on in under a decade. I might be on board with a programme of work taking a decade if it was a huge improvement, but as I wrote above it's just a sideways step.

Method 3.2.2.4.1 is dead right? So it seems as though other actors in this space also recognise that "Just ask the registrar" is not a workable solution unless it so happens you are the registrar.