A surprising number of things are starting to rely on these curated lists to handle "most" cases. The valid-key flip-side of this key blocklist is the public-key pinning list, which is also pretty half-assed.
With a different (non-crypto) bit of web technology, there's also the mess of how to determine what the "real" domain of a site controlled by an entity is. E.g. in the UK, a domain like example.co.uk is a third-level domain, but is conventionally treated as domain 'example' with suffix '.co.uk', not as domain 'co' in TLD 'uk', and subdomain 'example'. Whereas in dot-com, a domain like foo.example.com would be treated as domain 'example' in TLD 'com', with subdomain 'foo'. How to tell which is which? Yes, some human maintains a giant list, which browsers all build in.