Then why does VeriSign charge more than Gandi for the same thing (domain control validation)?
Why do we treat ID verified certificates (i.e. it has your name on it) as somehow "better" than the former, but the browser doesn't care, it just cares that the cert was signed?
Why do certificates expire, but not require new keys? (And why does this expiration cause a scary warning akin to a self signed cert?) There is no practical reason for the expiration, save to line the pockets of the CAs.
None of this crap makes any sense, unless you view the CA system as exploitative and broken by design, in which case the answer to most of these things is "because greed".
I mostly agree with you and the cynical in me says it's all about greed, except regarding expiration: nothing is eternal, especially considering crypto, so it's a safe assumption to say that nothing can be guaranteed for more than a given number of years. If you don't put a limit, you stall development of new primitives because deployment is more expensive than deprecation of what is already existing. Putting a "best before" date keeps everyone's head up.
The CA system looks like a good idea on paper if you keep it technical; if you look at it from a more widespread angle there's little surprise that it turned out to be like it is. But the idea remains good.
