[RawInfoSec]

Plus lack of identity validation. While the author of the article minimizes this, we shouldn't remove it from the equation just because users can't tell the difference. The right thing would be to fix the users understanding rather than weaken the product.

LetsEncrypt will be good for all those sites we deploy with self-signed certs, but won't be replacing major sites any time soon.

[creshal]

Is identity validation under any circumstances more than snake oil?

Neither users nor browsers could tell whether a site is supposed to run a domain- or identification validated certificate. (Fun fact, HN uses a domain validated cert.) All you get is higher costs for some X.509 fields nobody ever looks at, and nobody would miss if an MITMing attacker replaced your ID validated cert with an domain validated one.

[detaro]

You can use HPKP to pin EV-only root CAs, so you can still replace your cert, but it can only be replaced against another EV one.

Doesn't protect against a hacked/rogue CA, but against someone getting access to your DNS/mail/web server and getting a useable certificate from a only-domain-validating CA.

[toast0]

Just because the CA or the intermediate says EV doesn't mean that they only issue EV certs. The CA we use at work will issue certs with their EV root when we need compatibility with older installs, they only had their EV root cross signed.

[creshal]

Yes, but EV is not the same as identity validation. That's another variant of certificates that was only introduced because identity validation alone is so bloody useless.

[nailer]

Couldn't you also use HPKP to pin the EV-only root?

[detaro]

That's actually what I meant. Edited.

[joshstrange]

> Plus lack of identity validation. While the author of the article minimizes this, we shouldn't remove it from the equation just because users can't tell the difference. The right thing would be to fix the users understanding rather than weaken the product.

But should we? I've never looked at an SSL cert past seeing the green lock icon and "https". Maybe I'm an idiot but I just don't see the value in checking it every time I go to a site AND remembering if it was just domain or one with identity the last time I visited...