Can anyone explain to me how I can open up a CA and get my CA certs distributed with browsers and JVMs and what not? Is there some sort of "IANA" that approves and manages this and why would they approve all sort of shady CAs which clearly are a dangerous weak link in the whole SSL construct.
There is no approval process, no central authority. If you want your CA in OS X, you talk to Apple, if you want it in Windows, you talk to Microsoft. If you want it in Firefox, you talk to Mozilla.
All vendors want market share in the Netherlands, so a few Dutch CAs get on the list; and they all want market share in China so the Chinese Ministry of Information gets on the list.
No browser wants to be the one which doesn't work with someone, somewhere's bank, so once you're on one list, you tend to get added to all of them; and it becomes nigh-on impossible for marketing reasons to remove anyone from the list ever.
15 years later, browsers have 80 CAs and 200 certificates built-in.
...and what compounds the problem is that CAs are trusted on an all-or-nothing basis - you don't have a concept of "this CA is trusted only for .nl domains, and this other CA is trusted only for .cn and .hk domains".
There is no central authority, but each browser does have an approval process. Most require the CA to be audited annually by an organization that does WebTrust audits. Mozilla's procedures are listed at https://wiki.mozilla.org/CA:How_to_apply
I'm not sure having a central authority would be practical, but the approval process and audits need to be more thorough to find the type of security problems that DigiNotar and Comodo had.
