Doesn't Certificate Transparency, OCSP, and CAA help? If the certificate isn't in the CT log, the certificate was issued maliciously and won't be trusted. If this is truly the case, the CA could revoke it with OCSP checking. And no CA other than the one designated by the site owner is allowed. Then we're back to securing DNS. :-)<p>This isn't in strict enforcement now, but in a couple of years when browsers have placed enough pressure on CAs, this could be workable and addresses most of the paranoia mentioned in the article.