Re: When I can self sign, and provide my CA by side channel (e.g. DNSSEC)
One of the advantages I see to this scheme is it makes black hat SEO bullsh*t just that little bit harder. The economics of linkfarming and SEO spamming mean even small incremental changes in cost have large knock-on effects that can undermine the profitability of the enterprise.
If we start accepting self-signed certs, then all that will happen is linkfarms will start using SSL with self-signed certs. And the consequence of accepting self-signed certs are potentially quite troublesome. I'm not down with making MITM attacks easier, for example.
Ideas like changing the color of the padlock for self-signed vs. CA-signed certs don't stand well in a world where it's hard enough to convince folks to look for the padlock in the first place. And unlike some IT-savvy people I've met, I don't believe that users who are less savvy deserve to get hijacked.