I mean, x.509 is even older, and yet we still don't have a real PKI.
There's no reason to think that some technology being 25 years old means it's dead if not used already.
We have to realistic paths to a true PKI, both based on DNS: a) DNSSEC, b) the registries/registrars operate name-constrained (as least as anchors) CAs. That's it.
The WebPKI offers little real security. Certificate transparency is just like DNSSEC -- it needs big deployment to be a win, and it's especially needed because we don't trust the CAs because there's so many because they are not name constrained.
In DNSSEC the trust problem is still there, so CT could be applied to DNSSEC, but if you use QName minimization then it's harder for the root zone and TLDs to decide when to MITM you -- that's a really strong characteristic that PKIX couldn't hope to have because it doesn't have a directory. (Stapling DNSSEC chains in TLS would defeat this, but it is needed for last mile reasons, such as hotel networks.)
Nobody likes the WebPKI. But if you posted the private key for any trusted CA on Pastebin, it would be a very big deal. People around the world would get paged, and many of them would actually have to come in to work.
Contrast that with DNSSEC. The root key for the entire Internet, the one they have the secret Stonecutters ceremony to establish, could end up on Pastebin tomorrow and nothing would happen. Nothing would happen the next day either. Weeks could elapse and nothing would happen.
What's more, the comparison holds if you go back a year, 2 years, 10 years. The WebPKI is old (though evolving, unlike DNSSEC, for which things like transparency logs remain defensively evoked hypotheticals), but it has been important throughout it's life.
Hell, the application of DNSSEC we're talking about here is subsidiary to the WebPKI --- it's simply making sure that mail servers speak WebPKI-secured TLS to each other!
There's no reason to think that some technology being 25 years old means it's dead if not used already.
We have to realistic paths to a true PKI, both based on DNS: a) DNSSEC, b) the registries/registrars operate name-constrained (as least as anchors) CAs. That's it.
The WebPKI offers little real security. Certificate transparency is just like DNSSEC -- it needs big deployment to be a win, and it's especially needed because we don't trust the CAs because there's so many because they are not name constrained.
In DNSSEC the trust problem is still there, so CT could be applied to DNSSEC, but if you use QName minimization then it's harder for the root zone and TLDs to decide when to MITM you -- that's a really strong characteristic that PKIX couldn't hope to have because it doesn't have a directory. (Stapling DNSSEC chains in TLS would defeat this, but it is needed for last mile reasons, such as hotel networks.)