DNSSEC is signed by CAs. If an attacker can compromise a CA, they can compromise DNSSEC.

Sure, it works well for chumps like Facebook and the the NY Stock Exchange, but no one is using it for serious . . . um, wait . . . nevermind.

I don't know about Facebook, but NYSE is using Red Hat Enterprise Linux, not Gentoo. Actually, I'm not aware of anyone who is using Gentoo for anything serious.

Why not go with something simpler?
1. Use the DNS CERT record and ensure that we use dnssec with all zones up to the root signed (or another DNS security scheme).

...because that's the same as the system we have now. If the CA that signs DNSSEC is compromised, then the whole system is broken.

If a notary is compromised, we can replace that notary and be done. If a CA is compromised, we have to replace the CA and every active cert in the world that they've signed.

The short answer is, users want a binary answer. Can this site be trusted, true/false.

And in the Convergence system, they get that. A site is trusted if all of your notaries agree that the certificate you see is the same certificate they see. If it differs from the certificate that they see, then something is amiss and the certificate is not trusted.

Sure, you can say "I only trust this Notary", but how do you know that Notary is even who you think it is?

The same way that you know CAs, now: you keep their certificate in a local store for validation.

again, same problem you have now.

No, you don't. You have one of the two problems that we have now. Right now, the two significant problems are 1) that we rely on organizations that could be compromised and 2) if one of the larger organizations is compromised the cost of dropping our trust in them is impossibly high.

In the Convergence system, it's still possible that a notary could be compromised. However, notaries are all equal. We can drop any notary without the same costs as dropping a CA in the system we're using now.

Since most people simply won't switch, even if Convergence was 100% effective it wouldn't matter. Most SSL attacks would still take place just fine.

You're even wrong here. I can switch to Convergence right now, and without anyone else switching, I've improved my security. This isn't a system that requires that everyone change to be effective. It's immediately effective for anyone who changes.

A lot of people suggest DNSSEC as a component of replacing CAs, but overlook that DNSSEC requires CAs to function. If the problem is that you can't trust anys given CA, then a replacement has to be independent of CAs.

DNSSEC can't be a component of a system that doesn't trust CAs, which is exactly what Convergence aims to be.

Notaries are no more trustworthy than CAs; the advantage is what Moxie Marlinspike calls "trust agility". See, if a CA is compromised, users cannot easily stop trusting the CA. The big CAs simply have too much influence. Drop a major CA, and a significant percentage of the internet's certs are no longer valid. The economic costs of replacing a CA are tremendous.

If a notary is compromised, no big deal. Notaries can be dropped and replaced without any noticeable consequence. Notaries can be just as effective as CAs, with the advantage that they can be easily replaced.

there's no denying his contributions to popular culture

I wish the man a peaceful rest, but let us not speak falsely. Apple, under Jobs, has not contributed to culture so much as they have shackled it.

Culture is not a product.

Culture is what is shared by society. Culture is our values and our knowledge.

Apple created phones that forbid the distribution of Free Software, and that prohibited users from installing software of their own choosing. Users who wanted Freedom had to "jailbreak" their phone. Apple resists using open standards in their software, and have contributed back to the community far less than they have taken, despite profiting tremendously from the work of volunteers. They have worked toward distribution channels that funnel a portion of all purchases to the corporation.

Apple is a profoundly anti-social organization that sells very pretty baubles that lock culture away to wither and die. They do not contribute to culture.

And Awlaki has been in the middle of conducting murder for some time now, and promising to conduct more, at every single opportunity.

Awlaki did not literally have a gun to anyone's head. You don't seem to be able to see the difference between your hypothetical situation and actual facts. Evidently, you are no longer meaningfully connected to reality.

Would you still demand some kind of "due process" for the individual(s) involved, or would you agree that the United States should send a bombing mission to silence these high profile Nazi sympathizers?

As assassination is against the law, due process is appropriate unless they are actually combatants.