Why SSL certs are not decentralized?

What you're talking about exists: it's called DANE: https://en.m.wikipedia.org/wiki/DNS-based_Authentication_of_...

It’s not a trivial problem to solve.

See Zooko’s triangle: https://en.wikipedia.org/wiki/Zooko%27s_triangle and https://web.archive.org/web/20011020191610/http://zooko.com/...

Simple: the financial interests of huge corporations like DigiCert.

They sit in standards bodies that could fill their moat and undermine every open effort.

It’s insidious and there’s not much anyone with less than a billions dollars of interest in the matter can do about it.

Maybe a government or mega corp like Google will fix it, but I’m not holding my breath…

Why not use public key as IP. Like yggdrasil-go, use `public_key.sha256.first_63_bit === ipv6[1..64]` (maybe some data error but here is how it works). Well, yggdrasil is an overlay network, it can do that. But the ISP network cann't. Maybe we all should move to an overlay network.

1. An txt record adds more time to the request, since you can't start the request before opening an tls connection. 2. The browser has to go through all the TXT records. My domains already have 4-5 TXT records. 3. The dns is still pretty much insecure. Dnssec is still not always available

How do you secure the DNS entries?

Popular browsers are controlled by so-called "tech" companies that sell advertisiing services and seek to profit from online purchases.

These so-called "tech" companies exert oversized control over the CA scheme.

Pure coincidence.

I like the thinking and direction here.

At least, we could use this in situations where root cert is not part of CA stores in os/browsers.

that's a fair question for me too. Same for DRM certificates