"The main requirement for being able to [create a Sovereign Key] is that the requesting party controls a CA-signed certificate for the relevant domain, or uses a DNSSEC-signed key to show that they control that domain".
I don't quite understand this. If our problem is that CA-signed certificates are not very trustworthy, why use them as the basis for the new system?
I don't quite understand this. If our problem is that CA-signed certificates are not very trustworthy, why use them as the basis for the new system?
Can someone explain the DNSSEC alternative?