In practice the public CAs didn't quite work out. www.cacert.org tried it, and was interesting, but didn't work out in the end. Especially now its a bit of a joke with the login page on http and the website certificate not being cross-signed, so you have to accept them explicitly.