Re: If I were a layman
"I never got why we need a CA anyway.
If I trust Facebook, then I trust Facebook. I don't necessarily trust every website ever created by anyone who's bought a certificate from the supplier that Facebook's bought their certificate from.
SNIP
Key security should be in the DNS, and should be tied - the .uk root should be saying THIS is the cert for the .co.uk TLD and it's the only one I specify. And then when asked, .co.uk will say THIS is the cert for the facebook.co.uk site (and here's the IPv4 and IPv6 addresses). And then Facebook can specify what THEY want under that domain as required. All signed, all authorised, back to the root."
Actually, I don't think security by network (which seems to be your point) is enough. After DNS is secured, you have to secure the transport, and the physical layer etc ... Long efforts before you're SURE www.facebook.com is really facebook.
SSL took the approach of end to end cryptography, which is desirable and good.
The only problem is there is a gap: all CAs are hard coded in the browser and no user ever look at them (they're so obscure ...) and there is no secure directory service. That's the current security hole exploited by superfish and its siblings and the real short-coming of SSL.