From those perspectives, a registrar or registry who might
collude with a criminal registrant to create deliberately
deceptive names and associated registration data (or whose
procedures allow similar results without explicit collusion) is
fully as much part of the threat model as a CA that issues
certificates without any attempt to verify the identity of the
entity being certified or who colludes in deliberately hiding or
distorting the information.
As far as I can tell, we don't have a good word to describe what
DNSSEC does. It's "the entity sending you these RRs is the same one
that set up the signature chain." You can be quite certain that it's
the same entity that provided those RRs the last time you asked, but
unless you have some external knowledge about the policies of the
entities at higher levels in the chain, you have no assurance about
its offline identity.
In that regard it's not unlike the current reality of CAs. Some of
them still try to verify through external sources that an entity is
who it says it is, others like StartSSL only check that you can get
mail at the WHOIS contact address, so you're probably the entity that
registered the domain.
Some of the existing contracted TLDs are supposed to verify that
registrants have specific offline characteristics. As the proud
registrant of airinfo.aero and airinfo.travel, I can assure you that
they don't. Some of the new TLDs claim they will have similar
restrictions, e.g., only actual banks in .BANK, but I'm not sanguine.
Given the arguments over .WINE and .VIN, I can see I'm not the only
one.
This is not particularly an ICANN problem -- many ccTLDs are just as bad.
R's,
John