(oops, that was sent before I was finished)
This whitelist is probably a bit more directly usable than some of my suggestions. I don't know why I didn't think of it before, but Russell Nelson suggested it to me (it's his creation, of course).
It should be fairly trivial (and I think there might be a tool for this) to walk the web-o-trust tree, produce a "lowest depth seen" for each domain and then start working through it. I don't know if there are bad entries if you go too deep on the tree.
By the way, did I mention why I'm so keen on your whitelist? Once domain authentication becomes a reality, it will be a great source for whitelisting of authenticated senders.
I believe Justin has looked at web-o-trust some, so I've copied him on the message.
Daniel