Actually, an installation with a low level of trust by default would also eliminate the authentication issue with obtaining root certificates. In theory the untrusted-certificate dialog box could include a button to grant an additional level of trust to the associated root cert.
Honestly, I don't see what security is obtained by keeping out serious free cert providers when verisign doesn't do much to authenticate their certs other than making sure the check clears.
Actually, an installation with a low level of trust by default would also eliminate the authentication issue with obtaining root certificates. In theory the untrusted- certificate dialog box could include a button to grant an additional level of trust to the associated root cert.
Honestly, I don't see what security is obtained by keeping out serious free cert providers when verisign doesn't do much to authenticate their certs other than making sure the check clears.