By default, the only way that a web browser can know that the site gave it the right cert (as opposed to someone intercepting the connection with their own cert), is if it's signed by one of a couple hundred "trusted" providers who are supposed to be careful to not give certs to the wrong people.
Something like [Perspectives](http://www.cs.cmu.edu/~perspectives/) should be much more secure and can be more decentralized, but unfortunately isn't included with any default browser installs. It can't provide the same link to a meatspace identity, but you very rarely care about that (basically just for ecommerce) and it could be used in conjunction with a CA-based system for that anyway.
Because the web has a broken security model.
By default, the only way that a web browser can know that the site gave it the right cert (as opposed to someone intercepting the connection with their own cert), is if it's signed by one of a couple hundred "trusted" providers who are supposed to be careful to not give certs to the wrong people.
Something like [Perspectives](http://www.cs.cmu.edu/~perspectives/) should be much more secure and can be more decentralized, but unfortunately isn't included with any default browser installs. It can't provide the same link to a meatspace identity, but you very rarely care about that (basically just for ecommerce) and it could be used in conjunction with a CA-based system for that anyway.