The issue is that nobody trusts corporations/capitalism.
Companies will have to increase prices due to tariffs because the line has to go up.
And when trump implements tariffs and the (if) he folds, the prices won’t go back down. They will stay at that level. Because suddenly, C-suite get to show a huge line-go-up and they get to receive a huge bonus that reflects this 25% (well, lower. But the required rise due to tariffs suddenly being free real-estate) profit increase that they pull out of their ass.
You can distribute your public key, and have people manually add it to their trust stores.
But OSs and browsers ship with preloaded trusted certificates. This way, the owner of a preloaded trusted certificate can issue new certificates that are automatically trusted by people’s OSs and browsers.
To become a preloaded trusted certificate owner, I imagine that there are stringent audits and security requirements. Part of that will be verifying the identity of the requester before issuing them a certificate.
With LetsEncrypt, they either need to talk to a server hosted at the domain to retrieve a token (generated when the request is initiated).
This proves the requester owns/controls the domain and the server (the requester has correctly set up DNS records, and placed the required token on the server). This is HTTP challenge mode.
The other method is by a DNS challenge. The requester adds a TXT record to their nameservers with the token value, letsencrypt then inspects the DNS records for the domain and will issue a cert when it sees the token. This proves the requester owns/controls the domain.
So, proving identity is required (otherwise anyone could generate a trusted cert for any domain). And trusted certificate issuers are required, so people don’t have to constantly import (possibly dodgy) public keys