Presumably there's a irreducible amount of Extended Validation involved in qualifying as such a CA, though, no? Which would be the GP's point — you can't have a fleet of thousands of machines where each one individually, automatically, and anonymously registers to become its own signing CA.
If the target is legal recognition then you need to store your legally-recognized name and need to do what patio11 calls a hybrid system - part-offline, part-online verification. Also, IIRC there's a free government CA in Estonia that can sign documents, but of course you need to trust that Estonia is both not malicious and not incompetent.
