[creshal]

Is identity validation under any circumstances more than snake oil?

Neither users nor browsers could tell whether a site is supposed to run a domain- or identification validated certificate. (Fun fact, HN uses a domain validated cert.) All you get is higher costs for some X.509 fields nobody ever looks at, and nobody would miss if an MITMing attacker replaced your ID validated cert with an domain validated one.

[detaro]

You can use HPKP to pin EV-only root CAs, so you can still replace your cert, but it can only be replaced against another EV one.

Doesn't protect against a hacked/rogue CA, but against someone getting access to your DNS/mail/web server and getting a useable certificate from a only-domain-validating CA.

[toast0]

Just because the CA or the intermediate says EV doesn't mean that they only issue EV certs. The CA we use at work will issue certs with their EV root when we need compatibility with older installs, they only had their EV root cross signed.

[creshal]

Yes, but EV is not the same as identity validation. That's another variant of certificates that was only introduced because identity validation alone is so bloody useless.

[nailer]

Couldn't you also use HPKP to pin the EV-only root?

[detaro]

That's actually what I meant. Edited.