[tzs]

Why is certificate management not integrated with DNS? You already have to consult DNS to get an address to connect to, so why not piggyback certificate validity information on top of that? I'd suggest allowing both revocation lists and a way to say that only a specific list of certificates is allowed.

[sytse]

Great idea, I think that is done in https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Na...

[detaro]

There are some things like that (e.g. DANE), but in the general case you can not trust DNS, since it isn't authenticated. (DNSSEC is far from everywhere, even if the resolver does DNSSEC the connection to the resolver might be unprotected)