What we need is to do away with CAs entirely and use the DNS hierarchy to distribute keys (with DNSSEC for example). That way you only have to trust your own registrar (that you already need to trust anyway) and not any random CA in the world. So if you own example.com you get the COM registrar to sign your key and become your own CA for *.example.com.
That and an expensive *.example.com certificate would get you half of the way there. You still wouldn't be able to be your own CA, signing certificates for foo.example.com that other people can use. And it would require everyone to buy certificates from Verisign.
Nowadays national governments already setup their own CAs because they want to be able to issue certificates for all sorts of government organizations. With the setup I'm suggesting Germany would get .de signed, then they could sign gov.de and then have gov.de sign someagency.gov.de. somecompany.de would get their certificate from the DE registrar when they sign up for the domain and also be able to issue somepartner.somecompany.de or jabber.somecomapny.de certificates that if discovered only compromise part of their network, unlike having a wildcard certificate installed on every server.
What random CA's? All the registrar does is say "I the owner of COM have delegated EXAMPLE.COM to FOO both by pointing the address to their servers and signing their public key." After that example.com can delegate within its domain both the addressing (regular DNS) and the signing of certificates for subdomains.
