I've been playing with DRNS as mentioned below and I think I've come up with a good way to do it.
We have a simple XML based format for certificates that are signed using pgp/gpg.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
<drns> <domain name="/"> <!-- Root Certificate for the Distributed Rights System --> <allow expire="never" subtype="domain"> <!-- The Root Certificate allows the following direct subcontent: - only domains - subdomains don't have to expire - signed by the following signatures --> <sig>BB55 B33F 05B7 A620 CEA3 63C4 0DCE 14A6 B176 8E09</sig> <sig>F370 AE16 6A8D FDB8 F170 BFAC 51D8 0BCF EE8F 702F</sig> </allow> <contact> <email>email@example.com</email> <www>http://neudist.org/registry/index.cgi</www> <soap>http://neudist.org/registry/soap.cgi</soap> <xmlrpc>http://neudist.org/registry/xmlrpc.cgi</xmlr pc> </contact> </domain> </drns> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.2 (GNU/Linux) Comment: For info see http://www.gnupg.org
iD8DBQE6peBdDc4UprF2jgkRAiceAJ9IVgWbzYkYxS6TIVg/W5I17B8llQCg mIjA luEjsaG74Yl9iV3CFZlwzZA= =ERm8 -----END PGP SIGNATURE-----
That is an example of a certificate for a domain name. This would be stored on MojoNation, Freenet, the web etc.
The certificate specifies certain signatures, that must sign any direct subdomains or subcomponents. This allows the owner nonrevokable control over a domain. If he issues a certificate to someone else for a sub domain, the owner of the sub domain non revokable control over this and so on.