Since people continue to debate the CA vs DNS Registrar thing, I will just point out that we haven't had a case where an outright criminal operation has set up as a CA. In the DNS space we have had fully accredited registrars that have been just that.
Also, the WebPKI is not designed to provide confidentiality or even authenticate the parties. It is designed to make electronic commerce possible in an open network by establishing accountability. Back in 1995, export crypto was limited to 40 bits. People seem to forget that.
If people have a limited understanding of what the WebPKI is designed to do and ignore all the parts that don't meet their expectations, well of course they will end up assuming something else could do the same. But that doesn't make it true.
I have never seen much if any value to domain validated certs at all. Just use raw keys or self signed certs and you will get pretty much the same benefit. I suggested Web browsers stop giving out the silly WARNING THIS CONNECTION IS SECURED BUT NOT ENOUGH messages back in the 1990s. If a browser is going to accept an entirely insecure connection, it should not complain when something better is offered, but it shouldn't show a padlock icon either.
The WebPKI is all about accountability through incorporation credentials. That is why we never suggested it as the basis for DKIM technology. If there was going to be a PKI backing up DKIM it would be advising sender reputation.
