As I noted in a comment elsewhere in this thread, Comcast (or any other vendor) doesn't need to go through the work of getting certs into major browser. They just need to purchase and use a root signing certificate that works under the existing root CAs that are already in all the browsers.
This is part of why the trust model of the current CA system is fundamentally broken. We need to add a layer that can ensure that we are in fact using the SSL certificate that the site owner wants us to use.
This is part of why the trust model of the current CA system is fundamentally broken. We need to add a layer that can ensure that we are in fact using the SSL certificate that the site owner wants us to use.
There are multiple solutions being proposed out there to add this trust layer. I am a strong advocate of DANE ( http://www.internetsociety.org/deploy360/resources/dane/ ) but there are others out there, too.
There was a good talk about this at Black Hat USA 2011 on "SSL and the Future Of Authenticity" at: http://www.youtube.com/watch?v=Z7Wl2FW2TcA