I was thinking of multiple levels of security. The whitelist with SSL is just an extension of the password vault. The user change involved is small and the browser change required is small. Operationally the sequence of events would be:

1) Site X asks for a password over an SSL channel.
2) The browser checks the organization information in the server certificate, sees that it is a whitelist match, and replies with the password. (no extra user effort).

for a new site or phishing site, step 2) becomes

2) The browser sees that organization information is new. It starts its anti-phishing logic. Is there some reason to be suspicious?
3a) The browser displays either a neutral query "Is this a new site? what password should it have?" interaction, together with text indicating that if this is not a new site then phishing is likely.
3b) The browser displays a phishing warning when there is reason to suspect phishing, and requires extra steps to persuade it to add this site to the whitelist.

This is not burdensome for regular use. It is vulnerable to phishing, but now phishing requires more effort and is a bit more obvious. It is reasonably robust against simple spoofing because it is hard for the spoofer to get a matching organization certificate. It is vulnerable to several kinds of man in the middle attacks, as are the other proposals above. Phishing attacks against the certificate system of Windows have already been detected and those will be expanded to attack this, so something stronger is needed when the transaction is valuable.

This is why I think we will need to start encouraging the use of somewhat less convenient but much stronger mechanisms for transactions that involve significant funds. The single use credit card numbers are one form of this. One time passwords from cell phones is another, as is the use of second channel confirmation numbers. It is less convenient, but given current technology I assume that many machines are penetrated and that all public communications channels are watched by bad guys.

It would have been nice if Trusted Computing had evolved to generate PCs that could be trusted by their owners. Unfortunately it has evolved to mean PCs that cannot be trusted by their owners. So instead I move towards approaches that require multiple unrelated systems be penetrated before valuable transactions are compromised.