Thanks. That was helpful. With letsencrypt it feels like this problem is not the problem it used to be, because most certificates are now self asserted.
While Letsencrypt is great, one more CA in the root zone isn't direct improvement of the situation. It's important to realize that any single CA in the root zone can, in theory, without asking anybody or doing anything else, create fake TLS certificates for any website they want and then subsequently use those certificates to perform Man-in-the-Middle attacks.
You don't need to specifically trust the CA that signs the certificate of your website: they don't get your private key or anything, only the public key which everyone is getting. Instead, you need to trust every single CA in the root zone.
That's at least the idea without certificate transparency (CT). The current SCT policy of Chrome for example increases [1, 2] the numbers of entities needed until a certificate is considered to be valid, and thus, any attack needs the cooperation of multiple such entities as well, making attacks harder to mount.
