I think he makes a fair point. Browser vendors may be trusting CAs to do more due diligence on their DNS lookups than they might expect browser users to even be able to provide.
I still think there's a better way, though. Surely it must be possible to do some consensus through WebRTC and end up with something that lets me run my own domain-specific CA, at least for DV certs.
I still think there's a better way, though. Surely it must be possible to do some consensus through WebRTC and end up with something that lets me run my own domain-specific CA, at least for DV certs.