It's a bit of a scam from the beginning. I remember almost 20 years ago I asked where the safety was in that we had to shell up a relatively large sum of money to some unknown company on the other side of the world, so that they could "verify" our identity (how exactly?) - just because they had bought (?) a place in Netscape's or Internet Explorer's root CA list.
Since there are so many certificate authorities it's safe to assume that too many are compromised by- or under the influence of- criminal organisations or non-democratic and/or corrupt governments. (Ignoring the just-for-lulz hackers, I'm not that worried about them.)
I really wished PGP/GPG-style trust chain model worked in real life, but it's a hassle even for techies.
One idea would be to utilize the existing social networks + phones for something, but I doubt it would be possible to build something that is idiot-proof enough.
(Especially since a lot of people seems to have no idea who some of their contacts actually are...)
It could potentially solve email too though.