Everyone assumes that each of the Five Eyes governments can, in a pinch, get any certificate they need issued.
What people overlook is that on the modern Internet, browsers themselves form an ad hoc certificate surveillance network. If you get a certificate issued for a site that pins, or create a CT discrepancy, there is a very good chance Google and Mozilla are going to discover the CA responsible. And, as you can see, even if you operate the largest, most important CA on the Internet, Google will, if that happens, fuck your shit up.
If you want one (of many) dispositive arguments against DNSSEC, just consider that Google and Apple and Mozilla are not in fact in a position to fuck shit up for .COM. You can't revoke or distrust a TLD: the use of those TLDs is encoded into the brains of hundreds of millions of users. Not so a CA!
What people overlook is that on the modern Internet, browsers themselves form an ad hoc certificate surveillance network. If you get a certificate issued for a site that pins, or create a CT discrepancy, there is a very good chance Google and Mozilla are going to discover the CA responsible. And, as you can see, even if you operate the largest, most important CA on the Internet, Google will, if that happens, fuck your shit up.
If you want one (of many) dispositive arguments against DNSSEC, just consider that Google and Apple and Mozilla are not in fact in a position to fuck shit up for .COM. You can't revoke or distrust a TLD: the use of those TLDs is encoded into the brains of hundreds of millions of users. Not so a CA!