It's also messed up that we have to pay for domain names. Why can't we have them for free? I want Google.com please. You can get free certs now, and more ways to obtain them are coming this summer. In either case, let's solve our immediate problem now, then add different authentication methods to browsers after.
Then why does VeriSign charge more than Gandi for the same thing (domain control validation)?
Why do we treat ID verified certificates (i.e. it has your name on it) as somehow "better" than the former, but the browser doesn't care, it just cares that the cert was signed?
Why do certificates expire, but not require new keys? (And why does this expiration cause a scary warning akin to a self signed cert?) There is no practical reason for the expiration, save to line the pockets of the CAs.
None of this crap makes any sense, unless you view the CA system as exploitative and broken by design, in which case the answer to most of these things is "because greed".
I mostly agree with you and the cynical in me says it's all about greed, except regarding expiration: nothing is eternal, especially considering crypto, so it's a safe assumption to say that nothing can be guaranteed for more than a given number of years. If you don't put a limit, you stall development of new primitives because deployment is more expensive than deprecation of what is already existing. Putting a "best before" date keeps everyone's head up.
The CA system looks like a good idea on paper if you keep it technical; if you look at it from a more widespread angle there's little surprise that it turned out to be like it is. But the idea remains good.
It is zero. StartSSL has had free certs for years. Let's Encrypt will give another source of free certs. I expect shortly after that basic DV certs will be given out for free from most CA's. But most people don't care about finite or not finite resources. I am starting to suspect that the isse is mostly just the cost (with not everyone yet knowing how to get free certs). If your main objection is that you don't like the StartSSL UI, you can get a paid DV very for $5. That is about half the price of your domain.
I'd take that over what we have now in a heartbeat.
My time isn't worthless, but for a personal web-site I am already "wasting" tons of time on it, and what is 5 minutes more? Better than a $60/year certificate.
StartSSL is too terrible. Let's Encrypt doesn't exist. And CloudFlare requires you to use their entire service for the free certificates.
At least not as long as your browser trusts hundreds of CA's, including shady ones such as Comodo[1] who will issue fake certs to any name (Google, Skype, etc.).
With an email hostmaster/webmaster@example.com and/or a DNS record. EV certs require more, but DV certs have their identities verified automatically in seconds.
