I don't know you, so please don't take too much offense to this, but isn't that sentiment simply batshit crazy? "Sure, DNSSEC literally bakes an implicit trust in world governments into the core security model of the entire Internet, but at least it's up front about it!"
Please understand this: you can stop trusting every HTTPS/SSL CA today, and, as you visit HTTPS sites, accept their keys individually.
There is absolutely no reason whatsoever for anyone to settle on this point, either with negligent corporations or with governments.
My point is the advantage here is that the name "BIT.LY" itself clearly says who you are trusting to certify that name: You are trusting ".LY". If you do not trust ".LY", you can go about your day ignoring "∗.LY" sites, and your ability to separately trust "∗.NO" is unaffected.
The fact that governments ultimately control most of these trust domains is unfortunate, but it is still nice to be able to have different trust domains. If I want to actually see the unedited propaganda of the Libyan government, then I sure as hell do trust the Libyan government the most to deliver that; conversely, I trust the US Government the most to certify that I'm actually browsing whitehouse.gov.
Such a model allows me to see when I am browsing the Libyan-government-guaranteed part of the Internet - I know that any lies I read are Libyan government lies, and if my pockets are fleeced they will be fleeced with Libyan government complicity or incompetence.
And sure, it'd be great if governments didn't have a monopoly - if there was, say, a Google-guaranteed part of the Internet too. This isn't too crucial, though: ultimately, all corporations are answerable to at least one government, that can compel the corporation to act in the interest of that government. By trusting Verisign I'm already trusting the US Government - it's just hidden.
Absent manual distribution of keys, it is always the host's choice who their users must trust to verify their identity - the equivalent statement currently is "Why should anybody's choice of CA determine whether their users can trust SSL?".
Allowing seperate, clearly dilineated trust domains that are obvious to the user is a good idea, because it would facilitate competition between the trust anchors of those domains. If a trust domain built a reputation for highly trustable, carefully-validated certificates, it could charge a premium. A ".CH" domain as the online equivalent of a Swiss bank account? (probably not literally .CH of course, given their reputation regarding crypto).
Having those trust domains associated with governments is also reasonable: the citizens that government is answerable to can punish conspiracies and cock-ups, and all corporations are ultimately answerable to a government, so by trusting a corporation you are really trusting a government anyway.
(By the way, I am not a spear-carrier for DNSSEC - I would just like to be able to restrict the domains that a CA is able to vouch for).
"Why should anyone's choice of CA determine trust" is not equivalent to "why should any site's choice of top level domain determine trust". Users control CAs. They do not control TLDs.
If you dislike the CA model that HTTPS/SSL has, you should have your spear pointed at DNSSEC.
Like I said upthread, we probably agree regarding the current HTTPS/SSL PKI.
True, but at least it says that prominently on the tin.