Yes, one could use the DNS merely as a repository for certs from any
PKI. But, the DNS provides a unique opportunity to take advantage of
an existing name system that is very widely used and which is
precisely the way we usually communicate the name of the machine to
which we wish to connect (or the name of the person to whom we wish
to send a message).
right, but the name is just a shorthand, it doesn't actually specify
the service to which we wish to connect. it's entirely possible that
the name-to-service binding has changed without our knowing it,
which is why it's *essential* that we don't depend on such names
as our primary identity for authenticaiton.
Now, having said that, I acknowledge that one can have such a PKI but
not choose to have a single root for it. One could have each TLDs act
as its own root and cross certify (using name constraints) to link
the TLDs together.
What's the point of encouraging people to trust an untrustworthy structure?
Keith