There are two problems.
   First, CA AND/OR ToFU, or notaries or some other kind of acceptance of
   the certificates. That is a large issue, but the CA model is broken. It
   would be even more convenient not to have to bother with any
   authentication, encryption and passwords, but if we are going to bother
   with it, it may as well be actually secure. We need not trust them
   collectively - the difficulty comes when there are lots of different
   certs from the same site, but I might trust a google domain cert signed
   with a google signing cert over one signed by diginotar.
   Second, they generally don't escrow the ephemeral keys, but, if I
   understand correctly, if the key exchange does not have perfect forward
   secrecy, if the traffic is recorded, and the original private keys are
   exposed (subpoenaed, hacked, broken) any session is as well. Note that
   the exposure of one private key unlocks ALL such recorded sessions.
   This would apply even if I generate my own keypair and private cert.

   On Sat, Jul 27, 2013 at 5:56 PM, Lodewijk andr de la porte
   <[1]l@odewijk.nl> wrote:

     What problem are we solving, exactly? No eavesdropping is simple
     enough. No MITM is not preventable without information known to come
     from the intended source. Presently we have "all knowers" called
     certificate authorities. We trust them as a collective not
     individually. Their security depending on their collective is a
     fatal mistake. The idea of an all-knower is very, very convenient
     for the design of these systems.

References

   1. mailto:l@odewijk.nl