OK, so here's my basic proposal for a net-wide authentication service.
Trusted third party authentication (Kerberos-like). User need not trust service and vice versa - instead, they negotiate use of an aauthentication server they both trust. Ideally, we don't want to entirely trust any one authentication server, or perhaps even any one authentication service provider, but this is deep magic to me.
Users and services generate their own public keys, a la PGP. Paying a CA just to have a key is not on - paying for one to trust your key may be. Especially a CA that actually looks at you, takes photos, affidavits and skin samples, and will then commit to an authentication reliability guarantee which high-security applications will require
We'll need to be able to implement a client on a smart card.
We'll need to implement a client in IE and Mozilla somehow.
We'll need to do it all fast, before Microsoft and AOL take over
Pluggable encryption schemes would be nice. Ideally the encryption scheme would be implemented in a portable bytecode of some kind. Crypto codec could possibly be negotiable between client, server and authenticator. The service protocols will probably be more vulnerable than the encryption algorithms, so this may not really be cost-effective, but it's worth thinking about.