The problem is the PKI. For your own services, you can have your own PKI, and the issue of "trust one, trust all" is not really an issue anymore because you would only trust your own certificates for your own services.
The problem is that pretty much any CA trusted by your OS/browser can issue certificates that allows anyone who can control your network to MITM you.
A solution for this would be DNSSEC, where only .com would be able to sign foo.com, bar.com and other .com domains. But still, would you trust the issuer of .com certificates?
The problem is that pretty much any CA trusted by your OS/browser can issue certificates that allows anyone who can control your network to MITM you.
A solution for this would be DNSSEC, where only .com would be able to sign foo.com, bar.com and other .com domains. But still, would you trust the issuer of .com certificates?