Keeping in mind that while plain self-signed certs just don't work at all given user-behavior, self-signed certs plus TACK have about the same security level as SSH host keys. If-and-when most browsers have TACK, and most sites use TACK headers, the CA infrastructure will become mostly (though not entirely) irrelevant.