> So it's almost impossible for a single person to implement their own SSL/TLS library.
On the one hand, you're right, TLS is ugly as sin. On the other, wtf, they're still finding bugs in *openssh* and *openssl*, which are possibly the most intensely scrutinized bits of code ever. You honestly think one random person -- one who's not even smart enough to understand ASN.1 -- is going to do better, no matter the protocol?
> What we need is a simple security protocol based on XML
Have you seen the horror that lurks in standards that mix XML and crypto? XML has many congenial aspects, but it does not mix well with the "just define a canonical bitstring dammit" world of crypto.