Comment Re:Good FA (Score 1) 49
Yes, and this also exists today (assuming you have working DNSSEC) for OpenSSH.
That is, OpenSSH is already programmed to be able to confirm a remote host fingerprint by looking in DNS. This means "ssh foo.example.com" would reliably connect you to the machine that example.com's owners call 'foo' subject only to interference from the COM registry operator and the DNS root. If someone spoofs DNS, DNSSEC will report it, if they try to spoof the machine itself or TCP/IP, the OpenSSH fingerprint won't match. If they try a Man-in-the-middle attack the protocol design leaves them just moving your encrypted data with no clue what it says.
A public key trust system needs a trust root, but DNS conveniently already has one. We may fix a remarkable number of technical problems via DNSSEC, once we get the root signed and the political problems solved.