I don't that we can fix the burgeoning sprawl of dodgy CAs - that horse has already bolted. Moxie Marlinspike's Convergence framework might be a solution but it needs critical mass.<p>We can also create a second validation of every certificate via DNSSEC, which means a counterfeit cert becomes detectable by failing a positive check. This is better and easier than the negative OCSP revocation checking that we currently do, or at least it will be when everyone's recursive resolver supports DNSSEC. Again, this needs critical mass.<p>Unfortunately the IETF has two groups (DANE and PKIX) both working on this in parallel and there is not yet clarity over which DNS record to use or how (TLSA or CAA). However, the DANE group has just published their scope RFC (<a href="http://www.rfc-editor.org/rfc/rfc6394.txt" rel="nofollow">http://www.rfc-editor.org/rfc/rfc6394.txt</a>). So there is progress.