There are plenty of registrars that do this in countries where the laws govern the application of domain names. I didn't get my domain in my own country because of this. I didn't want to go through the hassle of registering a business name, providing identification and tax documentation and then paying 5x more for the domain and hosting as a result of this.
For what it's worth I am not asserting anyone who wants a domain should be vetted in any way. I'm only saying if your going to hand out domains and certs like candy the domain registrar is the best place to do that instead of doing it separately in a different insecure step elsewhere.
Yes. It's worth remembering why we stepped away from this approach. The
To reduce operating costs and increase profits?
ability to encrypt separately to the high cost of the ability to encrypt + validate kept a large portion of the internet unencrypted. DVs lowered the bar to encryption which cuts out a whole lot of risk factors.
I have no problem with DV itself. I have a problem with vetting of actual organizations being rendered meaningless and I have a problem with CA's being in the business of handing out DV certs.
Err no you can't MitM with a certificate that doesn't match the domain you're talking to.
No need to break a trust chain or develop exotic methods to subvert crypto when the chain of trust itself is an illusion. Consider the following 7-step plan:
1. Gain access to the victims wires
2. Go to any of a zillion different CA's or LE.
3. Submit CSR or equivalent to chosen CA
4. Follow automated validation procedures
5. Leverage access to victims wires to screw with unsecured DNS requests and or unsecured web requests to fool automated validation procedure.
6. Install valid certificate assigned to you by a legitimate CA.
7. Leverage your new certificate to MITM your victims systems to your hearts content.
CA's have no business handing out DV certs.