Naturally, it will be a slow transition, considering most IT departments are not too comfortable with the idea of switching all of their computer network to a Linux-based one (and with good reason).
Good IT departments are not too comfortable with the idea of switching all of their computer network to a Windows-based one (and with good reason).
As you can see, they're not really safer than self-signed certs. To me browsers should do that SSH thing and warn you if the cert has changed (whether it's self-signed or CA signed).
But you haven't solved the initial authentication process. Blindly typing 'yes' to the SSH key fingerprint the first time you connect is just as bad as blindly clicking through self-signed certificate warnings.
You need a trusted medium for authentication -- bundling CA certificates is one approach to bootstrapping that process. (Granted, this requires that people authenticate the browsers they download...)
"It might help if we ran the MBA's out of Washington." -- Admiral Grace Hopper
