@s{quotedtext}
@s{quotedtext}
What Mike said.
Building a new PKI infrastructure is most definitely out of scope right now.
But if somebody wants to spearhead an effort to get CAs to allow extra public keys in the certificates that they issue... that might be worthwhile.
Then again, maybe not-- DNSSEC/DANE might make the CAs obsolete.