Comment Re:ssh gets by just fine w/o Uzbekistan's CA (Score 1) 84
I don't really like the CA model either, but your suggestion doesn't seem thought through. SSH asks you to actually verify the key fingerprint of the new host key you are trying to connect to; this would be quite hard for non technical users that want to visit their bank website etc.. And like other commented, that would also be a PITA with key rollovers.
No, the real solution I think is developed in the DANE IETF WG: distributing keys through DNS, secured by DNSSEC.