Is this like saying human trust cannot be 100% delegated?
If so, that seems to be the model of the third party CA system. As a user I really have little say in "who", e.g., the web browser, should trust. I have (unintentionally) delegated trust to third parties. They decide who I should trust. As a user, I am not supposed to care about or understand this process. This really does not sound like "authentication" to me because I have not authenticated anything. Everything is being handled by third parties.
A conventional PKI ("the third party CA system") separates out this authority. You trust Trent to discern who Bob, Carol, Dana, Edgar and Frank are.
In choosing to engage in conversation with Dana, or even Edgar, you are not obliged to accept their word as to the identity of Frank, that's always Trent's job. And so Edgar's unreliability and Dana's poor character judgement aren't a problem.
What if I already know "Carol"? Should a web browser block me from "conversing with Carol" because I did not get "Trent's" approval first? Seems like I should be the one who decides whether I approve of Carol or not. I am the one taking the risk of "having the conversation".
Is this like saying human trust cannot be 100% delegated?
If so, that seems to be the model of the third party CA system. As a user I really have little say in "who", e.g., the web browser, should trust. I have (unintentionally) delegated trust to third parties. They decide who I should trust. As a user, I am not supposed to care about or understand this process. This really does not sound like "authentication" to me because I have not authenticated anything. Everything is being handled by third parties.