[castillar76]

PKI absolutely works, but the complexity complaint is still valid. I work in PKI, and we often tell people that PKI is difficult to do correctly, easy to do wrong, and nearly impossible to remove once you've screwed it up. That's the fundamental difference between something like PKI and DNS. It's very easy to set up a PKI and get things to trust your chain, but if you haven't done the leg-work to figure out how you'll replace it when it expires/breaks/needs upgrading/gets compromised, you're totally hosed. I've seen more than one environment brought to its knees because it was easy to check the "use certificates for my AD environment" boxes in Windows (just as an example), and then the root CA is on a laptop in Jim-Bob's desk drawer and five years after he retires the whole network goes sideways and no one knows why or how to fix it.

Fortunately, as someone pointed out up-thread, the demand for new PKI being generated not just for SSL by things like Let's Encrypt but also by things like device-aware trust is helping encourage a trend in making it easier to do it correctly and harder to do it wrong. Not quite there yet, but showing signs of improvement.