Well, we agree on the utility of having multiple PKIs. We disagree on
the need for a PKI that happens to cover a specific name space that
underlies the vast majority of IP-based communications, or at least
you disagree on the desirability of that specific PKI given the
reality of who runs which TLDs. But, you don't offer any suggestions
on how to address the need that a DNS-based PKI satisfies.
I don't see it as a 'need' in that sense. If you want to increase
the level of trust over the current situation, you pretty much have
to either exchange keying material directly with that party,
or pick a third party that *you* trust to serve as an intermediary.
It's really hard to have multiple intermediaries because you need
to trust them all. And just because someone runs a TLD doesn't mean
that you want to trust them - it often means you should be wary of them.
It really doesn't have much to do with DNS - the problem is that
real trust doesn't scale to that level no matter what the naming
scheme or the protocol.
Keith