[EvangelicalPig]

On a related note, pinning the public keys of TLS certificates in browsers used to be a thing (HPKP) and it did mitigate certain classes of attacks with caveats (i.e, let's hijack a domain using an "incompetent" domain registrar and MITM clients that previously visited this site before, happens more than you think[1][2]).

Given how it was configured using HTTP headers and with the average site that has buggy webapps and such that could be used for header "injection" independent of the webserver it was unfortunately considered a theoretical persistent DoS vector, and thus removed from browsers.

I'm not convinced other solutions (CAA, CT) are adequate replacements because it best, they are reactive (versus preventative) solutions, and CAA assumes all CA's are properly checking DNS records at the time of issuance and that those DNS queries are not being intercepted, which is a big assumption in my book.

[1]: https://www.fox-it.com/en/news/blog/fox-it-hit-by-cyber-atta...

[2]: https://krebsonsecurity.com/2020/03/phish-of-godaddy-employe... (okay, was just a deface, but still accomplished with a hijacked registrar account)