[woodruffw]

The problem with the CA system is arguably not that it’s a single point of failure: it’s that it’s N points of failure, all of which were originally unaccountable to user agents. The CAs are themselves decentralized entities, and each was largely unaccountable to the larger web PKI until CT came along.

I think a DNS layer would probably make that problem worse, not better, which is one of the enduring criticisms of DNSSEC and DANE.

[yup_sto]

You're likely right here, combining two trust systems does add complexity without solving the core problem. While browsers requiring CT was a great step forward, it's surprisingly under-utilized by orgs. I wonder if this is due to limited tooling for log interaction, or just general lack of awareness?

[tptacek]

It's pretty widely used; orgs that have security teams with more than a handful of people tend to be monitoring CT for their own names. Could it be more usable? Yeah, there's probably more than one startup in there. Have at it! You don't need anybody's permission to build something like that.