Some combination of distributed notaries, warning for unusual certificate conditions (e.g. certs changing when they have lots of time until expiration -- Dear Google, please stop doing that), and other ideas.
When given the option to choose who to trust, the vast majority of users will stay with the defaults, which are chosen by Google, Microsoft, and Mozilla. That's not fundamentally different from what's currently in place.
Tack is much more interesting. I'm too sleepy to fully understand the proposal, but what I've gathered so far looks promising.
It could be structured based on kittens and be at least as secure. I could steal a guys wallet, copy his id, slip it back or just throw it out, buy a certificate, slip virus laden software and it would get a huge seal of approval.
That's not much of an argument. It's not very easy to mug someone from Nigeria. Eliminating a remote attack is a big deal.
Of course, the sheer number of certs given out guarantees that some bad guys will be able to get one using fake id. But the point is to make malware rare and easier to investigate, not to eliminate it completely.
Most people care less about assurance and more about encryption. I.e., unless you're subject to a MITM DNS attack, you're a lot less likely to be directed at the wrong paypal.com than you are to say, have your password sniffed off the wire, or by a keylogger on the local machine.
And that identity assurance is where most of the scam comes in. Encrypting communication securely is dead simple (from an implementation standpoint - pick a cipher and go), making sure server X actually represents who they say they do, that's a whole different can of worms.
Congratulations - you have been enlightened to the state of PKI as it stands today. (I.e. a complete fucking scam).