A PKI modeled on the DNS would parallel
the existing hierarchy and merely codify the relationships expressed
by it in the form of public key certs.
so what you're saying is that the cert would mean something like:
"we certify that this key was supplied by a party who gave us money
in exchange for our assigning domain name x.y to it. we have no
idea who that party really is, whether it is trustworthy, and
in particular whether that party can be trusted to manage its keys
in such a way as to make compromise unlikely. for that matter,
we're not even entirely sure whether the party that gave us money
for this domain last time it was renewed was the same as the party
that gave us money for the domain in the past. for that matter,
we didn't get the money directly from that party, we got it from
a registrar who you may or may not be able to trust either.
and for that matter, you have no idea whether we are trustworthy.
we could be making all of this up, and in fact we're so large and
control the trust relationships to so many domains that there is
a fair amount of incentive for us to do exactly that under some
conditions, but we won't tell you want those are but you should
trust us anyway, because we said so"
Keith