IE comes preloaded with about 34 root certificate authorities, and it is easy for the end user to add more, to add more in batches. Anyone can coerce open SSL to generate any certificates he pleases, with some work. Why is not someone else issuing certificates? Mostly because of the alarming things IE/NS/Whatever says if you haven't already got the root cert in your browser when you visit a site relying on a "homebrewed" cert. Certainly some time ago, the OpenCA project were giving away ssl certs for free to all comers; the software they produced is open source (and at sourceforge) so anyone could open their own CA with whatever authentication criteria they wish (and indeed, the owner of news.securecomp.org (nntp) is in the early stages of a X509-based CA on a hierachical but distributed model (ie, regional CAs you can apply
jamesd@echeque.com <jamesd@echeque.com> was seen to declaim: personally to with proof of ID) Doesn't help much when the sheeple won't trust anything that doesn't come pre-installed by microsoft though.