Not the kind of security decision I want to see a CA make!
Which underlies the problems with PKIX: any CA can sign anything, just about. Lowest common denominator. I actually prefer DNSSEC there myself - yes, yes, I know, hear me out for a moment! - because even if it's hierarchical, it's single hierarchical from those who are supposed to control the DNS anyway. (Of course, that still introduces points of attack. It's reasonable for countries to control ccTLDs but I wouldn't mind seeing IANA control the others under international law. And it doesn't really do it very well.)
In practice both have big flaws, but at least one can be used to pin the other so the benefits of both can be realised. Distributed systems may win in the end, but we're only at the start of that journey.
Which underlies the problems with PKIX: any CA can sign anything, just about. Lowest common denominator. I actually prefer DNSSEC there myself - yes, yes, I know, hear me out for a moment! - because even if it's hierarchical, it's single hierarchical from those who are supposed to control the DNS anyway. (Of course, that still introduces points of attack. It's reasonable for countries to control ccTLDs but I wouldn't mind seeing IANA control the others under international law. And it doesn't really do it very well.)
In practice both have big flaws, but at least one can be used to pin the other so the benefits of both can be realised. Distributed systems may win in the end, but we're only at the start of that journey.