Did you just forget that CAs exist? They are centralized. You always have to trust SOMEONE. Even if it's the person that wrote the CA software being used, or the supply chain that provided the software to a vendor, or or or. See what I mean?
The CAs being centralized is not a problem. They do the verification and issue the certificate. The privacy concern stems from using the certificate and CAs are not involved in that process.
Yes you do have to trust someone and the CA is the trusted entity for doing the verification, but once they do the verification and in effect encode that verification onto a certificate, their role is done.
Meh, while I think he has some misunderstandings about the role of CA's, I'm not sure you're doing any better: you can certainly use certificates in a decentralized manner; I use them every day for ssh. No third parties are involved at all.
But decentralized CAs for identity verification still have the same problem, you have to trust someone. They said zero-trust, which I don't think is possible.
