I think it looks like a flamewar, so for my benefit can you tell me what is the behavior: (I think I have it)
1) The docker index (public registry) lives at index.docker.io. If you push an image like "yebyen/foo" then you need to log in as "yebyen" and you're making yebyen/foo public.
2) The docker-registry project, when you deploy it, takes up port 8080 by default. If you push an image like "registry:8080/bar" or "my.registry/bar" the dot or the colon are detected before the slash, which are not valid parts of a username on the public index, so you push to that registry (your registry, or your organization's registry server ostensibly.) These connections are unauthenticated.
Is that about the state of things? Where is the confusion?
git has this concept of "remotes" which can be defined per project, but Docker has no such concept of a remote or even of a project. You have a Dockerfile and you have an image.
To be fair, there should be some kind of an "enterprisey" caching proxy that enables IT departments to act as a supervisor or man-in-the-middle, blessing some trusted images and forbidding the downloading of others, holding any pushes in a queue for "public release approval."
The docker-registry open source tool is rudimentary. I think there will certainly be alternatives to index.docker.io, and eventually even a configuration directive to select a different image host as the default.