We seem to agree that the DNS could be sued to distribute certs, so
the question is what should the certs attest to and who should issue
them. I argue that we need certs that support validation of DNS
bindings, and that the only authoritative sources for that info are
the folks who manage the DNS.
and there is no assurance that they're trustworthy.
Anyone else is a TTP, with all the
problems that implies.
the problems associated with TTPs may actually be less than the problems
associated with implicitly trusting the TLDs. you *choose* whether to
trust a TP. limited trust of the TLDs is essentially forced on you,
but it's a mistake to extend that trust beyond the minimum necessary.
it's one thing to get an address RR of a server from a TLD. you still
have the opportunity to authenticate that server via other means that
you trust. the worst the TLD can do in this case is a DoS attack.
OTOH if the TLD has the capability of issuing a bogus cert for the
server you want to contact, and you are foolish enough to trust it,
you're screwed. and the TLDs will mislead the public into trusting
them, because they'll be the "obvious" choice, and because there's
nobody to keep them honest.
this is why a DNS-based PKI is a Bad Idea.
OTOH being able to access TP certs via DNS could be quite useful.
the most trust that should be invested in the TLDs (or any zone)
should be the ability to authenticate the RRs in their zone,
and specifically NOT to authenticate servers. and we don't need
a DNS PKI to authenticate RRs, we have other mechanisms for that.