[userbinator]

4) Ask sites to publish via an out-of-band channel their certificate fingerprints in an easy-to-verify manner.

I think the centralised CA model really needs to be replaced, although it will be hard to displace as long as those involved have a financial interest in continuing it.

[nly]

The problem you're describing has been donned Zooko's triangle. It's unclear whether decentralised solutions to authenticated human-meaningful names can ever scale to something as large as the DNS.

https://en.wikipedia.org/wiki/Zooko%27s_triangle