I suppose one question is: how do you check fingerprints?Well, if you're doing DNSsec as Olle suggested, you just put the whole public key in the DNS using a DNSKEY record. You then authenticate the record using standard DNSsec protocols. (This currently works in .se and .br, and is supposed to be rolled out next yet for .org. Having IANA actually sign the root is still some ways off.)
Getting this support into implementations also takes time, so this might go hand-in-hand. /Olle (proud .se domain owner :-) )
smime.p7s
Description: S/MIME cryptographic signature
