ability to install extra signing keys
Surely the compromise with all of this is to give the end user the ability to either switch it on/off, or install additional keys? This is no different to the way some operating systems come with a firewall installed, which the end user can either disable or customise - e.g. set up their own port rules - based on their needs. It's just a layer of security that can be customised.
We have to remember that for the vast majority of people (not Reg readers, but everyone else!) whether this can be switched on or off will probably never be an issue.
Or would people still have a problem for this if it was switched on by default with the ability to turn it off or amend it somehow?