You really believe under such a system there would be less phishing and spoofing than with using CAs? CA is a flawed system but given the realities of mass use by non experts it is the least flawed system we have.
To be honest I don't know, but it would be hard to imagine things even more insecure.
I know without CAs, encryption would be fairly ubiquitous. That would make passive surveillance harder; but would not stop phishing. Browsers can limit the scope of spoofing by actually storing certificates and warning the user when they are changed: though after heartbleed, "Certificate Patrol" has been noisy of late.
Incidentally, many Bitcoin websites use cloudflare. Clouldflare works by performing a man-in-the-middle attack on the websites under "protection". If
a hostile government (such as the US) instructs Cloudflare to attack a website; I am not sure they would say "no".
As of this writing, cryptothrift.com shares a cert with the following websites:
DNS Name: ssl2250.cloudflare.com
DNS Name: cryptothrift.com
DNS Name: *.photodeals.com.au
DNS Name: *.chapmaninstitute.net
DNS Name: *.smsassembly.com
DNS Name: nicabet.com
DNS Name: chapmaninstitute.net
DNS Name: *.eastmon.com.au
DNS Name: *.nicabet.com
DNS Name: miniboxphoto.com
DNS Name: eastmon.com.au
DNS Name: preferredgarcinia.com
DNS Name: *.miniboxphoto.com
DNS Name: fighthub.international
DNS Name: *.fighthub.international
DNS Name: makeupandbeauty.com
DNS Name: *.pcdashboard.net
DNS Name: *.gardenatics.co.uk
DNS Name: *.makeupandbeauty.com
DNS Name: smsassembly.com
DNS Name: *.cryptothrift.com
DNS Name: *.bubblepix.com.au
DNS Name: photodeals.com.au
DNS Name: bubblepix.com.au
DNS Name: pcdashboard.net
DNS Name: *.preferredgarcinia.com
DNS Name: indespensablegarcinia.com
DNS Name: gardenatics.co.uk
DNS Name: *.indespensablegarcinia.com
Somehow bitmit.net got a green verified cloudflare cert before they went down.
my bank has some pretty good online protocols/procedures.
You first have to enter your username separately,
and then you are shown a security image
that you previously picked, like a mushroom or
a banana or something.
and only THEN do you enter your password.
My bank does the same thing. If you mistype your user-name, it asks for your password before presenting you with the "security image" though. I suspect those are mainly "security theatre" to make you
think the site is secure.
But this is all off-topic :/