Google, Microsoft, Apple, Facebook, NSA, etc. do agree with your view. I personally do not welcome public CA's everywhere, I don't welcome IPv6 everywhere. I don't want people knowing any more about my private systems than I choose to divulge.
Having talked with PKI folks at the first three of those, no: there is considerable weight at Google and Apple at least that non-public certificates do NOT belong in the public PKI. There’s reasonable evidence to be had that many of the problems public CAs have had with content and algorithm agility has stemmed from the use of public CA infrastructure for internal or private uses that never belonged in the public space. Things like OU fields, custom OIDs, and old algorithms were all difficult to move away from because large customers of public CAs were busy using those things for purposes better suited for internal infrastructure.
This is one reason many of the browsers have started enforcing things like CT stamps for roots with clear exceptions for enterprise CAs. They want to encourage people to move their internal uses to internal PKIs instead, so that it’s easier to make clear rules about the content of public certs.
Huh? What about it? As in the v4 case you should put your network behind a firewall, hiding it from access from outside. If you’re referring to NAT you can use it with v6 too, though I don’t think it’s reasonable - NAT doesn’t add much security and it shouldn’t be used as a security mechanism.
