I don't get why I have to trust a CA at all.
Trusting someone who will make me "trust" hundreds of thousands of other websites, just to visit the one I want, seems absolutely ludicrous on the face of it. Convenience over security from the start isn't a good sign.
Until we get to publishing TLS records inside a secure DNS, what's wrong with showing the hash of the website's certificate and I get to choose whether or not to trust them, ala SSH?
I'd much rather have an adhoc system of someone publishing what hash THEY see for Facebook, and what I see for Facebook and then if they match I have a semblance of security. Even some kind of P2P collection of known hashes would be a good start and if we can get a Bitcoin-like "You have to control more than 50% of nodes in order to change hashes" system, then it's perfect.
CA's are a nonsense. By default, my browser will trust the opinion of several dozens of international organisations as to whether one of TENS OF MILLIONS of certificates are genuine (based on how much they are paid and usually nothing more than domain-verification by email of all things!).