[entropyie]

DNS? crt.sh? Certificate Pinning? Apply this only to non-routable IPs? Apply this only to certain TLDs, such as: .local .lan .personal There are many options. Also, how would this be any worse than visiting a plain HTTP site instead?

[pilif]

DNS can be MitMd. crt.sh would be in a position to get all your browsing history.

The local thing would work, but of course only for local hosts.

It would not be worse than using plain http and my personal opinion is that visiting a plain http site should have the same UX as visiting a self-signed one.

[entropyie]

All fair points, and I would settle for HTTP equivalent UX. DOH and DOT would go some way to mitigating DNS inadequacies (although they have their own issues in terms of network autonomy). I personally think the best long term solution would be for each TLD to maintain the CA bundle and TLS standards for that TLD. That way there is no case where a CA cert from CN can issue a cert for google.com .

It would also specifically allow non-identity locally issued certs for .local, .lan, .hobby etc...