Moxie is -absolutely- right. The focus should not be mainly on who to trust, because trust is transient: it can be earned, and lost.
Instead, we want a system where it's easy and practical to add new trusted organizations, OR remove ones *not* trusted.
Ideally, this choice should be open to both website-owners, browser-makers and browser-users. And the choice should be -practical-
Sure, you can remove Verisign from your browsers list of trusted CAs today, but doing so merely gives you a nasty warning (and no alternative way of establishing identity) on a large fraction of websites, so it's not a -practical- thing to do.