The problem is a lot of companies have done shady things and they are still participating in PKI. And a huge issue is that I can't pick my trustworthy parties: For instance, I do not trust Google. But a huge portion of the web won't work unless my browser assumes Google can issue certs for any domain in the world. I also don't trust a half a dozen CAs in countries I don't deal with and would rather prefer not have access to at all. When a Chinese PKI provider fails, I first wonder why I'm even trusting these CAs to begin with.
I'd prefer a system backed by DNS, and based on verifying the ownership of domains and the authorized DNS provider for that domain. Presumably, in my example, the only domains Google would be authorized to secure would be domains provided via Google's DNS and domain products.
> For instance, I do not trust Google. But a huge portion of the web won't work unless my browser assumes Google can issue certs for any domain in the world.
Um no. Google's four production roots (GTS Root R1 through R4) are essentially dormant. You could (but probably shouldn't) manually distrust these roots with no impact.
I'd prefer a system backed by DNS, and based on verifying the ownership of domains and the authorized DNS provider for that domain. Presumably, in my example, the only domains Google would be authorized to secure would be domains provided via Google's DNS and domain products.