typical google thinking
This paper is half-assed. It describes a protocol but not the system. Well, guys, turns out that it's the systems that crumble.
It further suggests two terrible, guaranteed-to-fail ways to deploy it:
1. "let's have one big centralised system", and
2. "let's trust the CAs".
Well, (1) that's one of the main reasons that Wave failed, guys; and (2) is the current problem and there is some very sloppy thinking in the paper that claims it would work around this, but actually wouldn't if the CA is compromised and selectively doesn't publish to the list. I can guarantee you that every browser & smartphone will continue to allow this scenario simply for backwards compatibility during the inevitable decades-long ramp up period.
3. "Something else but we couldn't think of it".
The ONLY way to do this and leave control in the hands of certificate users, where it belongs, is with federated certificate verification. See: DANE (since we can this NOW), and the meta-protocol for cert trust verification, Convergence.
Thanks for trying guys but consider your paper extremely negatively peer reviewed for proposing a system with so many fragile assumptions about human and corporate behaviour.