Ross Wm. Rader wrote:
Please don't put words in my mouth. The fundamental issue is that email is an inherently insecure mechanism. It allows others to represent themselves, not as "my spokesperson", but as "me". Somehow, it remains a fundamental part of the authentication process for all domain related transactions.
First, I'm not putting words in your mouth. I'm refuting you.
Second, email can be made much more secure with a web of trust.
In order for that to be true, though, no part of the confirmation process can pass through a party with an interest in the transaction.
Changing the transaction authorization process ("Yes, I requested that") does not change the identity assertion and authentication issue (I am who I say I am and I have the authority to undertake this transaction").
Your personal interest is leading you to claim that an important part of the problem is irrelevant.
In the case at hand, the problem is the authorization process. Not fixing the authentication issue doesn't leave you free to dismiss the authorization issue,
Most important, your self-interest -- that of your peers, actually, because I trust you -- is a major part of the problem. The registrars are among the criminals, and their (and your) financial involvement automatically creates a conflict of conflict.
