[detaro]

You can use HPKP to pin EV-only root CAs, so you can still replace your cert, but it can only be replaced against another EV one.

Doesn't protect against a hacked/rogue CA, but against someone getting access to your DNS/mail/web server and getting a useable certificate from a only-domain-validating CA.

[toast0]

Just because the CA or the intermediate says EV doesn't mean that they only issue EV certs. The CA we use at work will issue certs with their EV root when we need compatibility with older installs, they only had their EV root cross signed.

[creshal]

Yes, but EV is not the same as identity validation. That's another variant of certificates that was only introduced because identity validation alone is so bloody useless.

[nailer]

Couldn't you also use HPKP to pin the EV-only root?

[detaro]

That's actually what I meant. Edited.