Certificates in DNS?
I figure that a new DNS record for a website could be created with the certificate's public key and a URL for the issuer. That way the owner of the domain has at least some control over what certificates are considered valid for them.