I don't even understand the premise of this argument. You're in effect saying that we should replace commercial trust roots that are accountable to browser vendors with government-run trust roots accountable to no-one. How could that be an improvement?
My argument is, the TLDs already fully control the ___domain. Given that they fully control the ___domain, they can use that to request issuance of a ___domain controlled certificate.
If at the end of the day, the TLD controls everything, I'd rather not have anybody else to worry about.
That's not true. If Verisign tomorrow altered .COM to temporarily claim a Google name sufficient to acquire a DV Google.com cert, the CA that issued that certificate would be dead the next day.
That's great if you're Google, but if neustar took over my .org ___domain, any CA would be happy to issue, and I'd be SOL. I don't see a whole lot of difference between that and if they take over my .org and that enables them to issue certs directly through DANE or whatever.
I don't know what to tell you other than that the mechanisms I'm talking about that protect companies like Google have done more to directly protect smaller companies from these same attacks than DNSSEC has in the 24(!) years(!) Internet standards people have been working on it.
