I think the problem with putting the cert fingerprint into DNS is the application doesn't know if the response was secured by DNSSEC or not.
To get rid of CAs for basic cert uses, which is protecting passwords from being sent in the clear, Mozilla should be implementing and advocating RFC 5054, TLS/SRP, however NSS (a Mozilla subproject) won't add it until Mozilla does the UI work, but Mozilla wants to do the UI work as extensions, so needs NSS done first.
Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds