an out of band method (phone, in person, business card). I don't see how a limited access domain helps in binding keys to people, unless the registrars are going to start acting as CAs as well. Anyone can create a PGP key with trustme@fubar.cpa.pro as an associated email address.
The .pro website said they were going to do certs, but at this point it seems unlikely that they'll do anything. It's somewhat harder (not impossible, somewhat harder) to get a bogus S/MIME cert since the issuers all do at least perfuntory mailback verification. Regards, John Levine, johnl@iecc.com, Primary Perpetrator of "The Internet for Dummies", Information Superhighwayman wanna-be, http://iecc.com/johnl, Sewer Commissioner "I dropped the toothpaste", said Tom, crestfallenly.