> This somehow confirms my gut feeling that digital certificates are mainly a means to enforce exclusion on behalf of the certificate authority ownership. It is a tool to prevent people from taking full ownership and control of whatever is affected by digital certificates, be it software, firmware, hardware, or as in this case SSL/TLS. That's digital tyranny in disguise.
I think the "digital tyranny" is a side effect, not the main goal. They're "mainly a means" to prevent certain kinds of MITM attacks.
You could that with a much saner approach like DANE.
Not back when SSL and the PKI ecosystem was developed.
Yes actually you still could've. But it would require a pass through the IETF to stabdaddize a DNS record type, and that would delay Netscape's release.
Any DNS-based solution needs something like DNSSEC to work. I believe DNSSEC didn't exist yet when HTTPS was being developed and even if it did, it wasn't anywhere near ubiquitous enough. Is it even these days?
I always thought the main goal was to force people to pay money for certificates.
Let's Encrypt certificates are free.