I second this, and add that we should start using trusted authorities to get, verify, and monitor all of the self signed public certificates, similar to how PGP works. We generally trust a few reputable companies and organizations and so these entities could setup the registries for the self signed certificates, and could monitor and establish mechanisms for generating creditibilty ratings for certificates. They can monitor for complaints, fraud, abuse, impersonations, etc. Your browser and operating system (which you already trust) would have a base line list of entities to establish the reliability of a given certificate, and you could modify that list if it suited you.
Along with your 2 way authentication proposal, establish an authentication protocol with acceptance level similar to SSL that allows the authentication to be done securely between key manager on the client side (away from any trojans or keyloggers) and a user/key database on the server side (away from any hackers). This way way we can keep the most sensitive information (the keys), in a simple isolated device or server, that does one thing, manage keys, thus drastically reducing risk of being compromised. Also, a well established authentication protocol standard, is needed if we want to rid ourselves of using passwords (not just for browsers, but also applications).