[tptacek]

Sorry, I should also have mentioned TACK, Moxie and Trevor Perrin's proposed system of allowing servers to dynamically update certificate pins. As many people here know, Chrome already has a system of pinned keys, which mean that as far as Chrome is concerned, Chrome is the final arbiter of GMail's public key, not Trustwave or any other CA. TACK allows browsers to keep a cached list of pins in somewhat similar fashion to HSTS, which caches a list of servers that must use TLS.

TACK is just a proposed standard right now; I have no idea where it's going. But it's a good band-aid on the existing CA system.