It is a separate issue as long as HTTP2 does not force any reliance on commercial CAs, or CAs other than the server owner. If it did, it would be the enemy of secure web traffic and would merit being rejected or modified.
But AFAIK, or if I've understood correctly, the proposals for HTTP2 continue allowing "self signed" certs. So all we need is better UI in the browsers, and some public means of verifying the association of a particular cert with a server, over time.
This scheme would reduce the vulerable areas to the case of TLAs coercing secret keys - which is a lot smaller than it is now with corrupt third-party CAs (and browser UI obstructing attempts to work around that system).
But AFAIK, or if I've understood correctly, the proposals for HTTP2 continue allowing "self signed" certs. So all we need is better UI in the browsers, and some public means of verifying the association of a particular cert with a server, over time.
This scheme would reduce the vulerable areas to the case of TLAs coercing secret keys - which is a lot smaller than it is now with corrupt third-party CAs (and browser UI obstructing attempts to work around that system).