That would be a pretty decent approach, but an EV cert does not assert that:
> This key belongs to the owner of this domain name AND this domain name matches this business name.
Instead, an EV cert comes with an extra name (the official business name) and then asserts:
> This key belongs to the owner of this domain name AND this key belongs to the owner of this other business name
Hence you get the image [1] of a website www.thesslstore.com but EV business name 'Rapid Web Services LLC'. Should that really mean that this counts as a 'verfied' domain that gets a tick-mark?
That said, switching to a system more like the first assertion, and going with the 'verified' tick mark could work. It would make validating EV certs a lot harder though, as it requires a more subjective judgement to make. (e.g. could you validate windows.com for the company microsoft? What about youtu.be for youtube) Making a wrong judgement here should look pretty bad for a cert-issuer.
- Using trademarks (this fixes the US issue of per-state homonym attacks).
- Not including the domain in the certificate at all. If an identity is verified, it's verified. Why limit where it can be used, or try and assert some unrelated fact?
The SSL Store (Computer Services) [US]
This has been suggested to Google, who indicated they were not interested.
> Not including the domain in the certificate at all. If an identity is verified, it's verified. Why limit where it can be used, or try and assert some unrelated fact?
I strongly disagree. It is still a domain that is entered into the URL box. On the web, websites are defined by their domain name. That is the thing I want verified. For EV I also want verification the domain name matches a company that should have that name. But the core thing is a domain name.
Sure. How do you know the URL is who you think it is? How do I know if withgoogle.com is Google or not? If I do know who I'm communicating with, why do I care about the domain it's on?
