[toast0]

Some of the certificates I've purchased have involved verifying some details of the organization, even though they weren't EV. I believe we needed a Dun and Bradstreet number when I got a certificate from Thawte in the late 90s (although I might be misremembering, something at that company needed that number...). And a more recent issuance wanted some other proof of existence / location, they had asked for a lease/utility bill, but issued with our location found in a state corporation database, before I could get a copy of something they would accept. I won't disclose the issuer of the recent cert, but I would put them in the top tier of reputation (and prices).

I would hope an EV process would do a better verification, but I've never needed an EV cert, so I don't know.

DNSSEC is sort of like verifying to everyone that you control the DNS, near the time of use, as opposed to just verifying to a CA at time of issuance. Or in other words, if it's OK for a CA to trust DNS, letting everyone else trust it would be good too.

At least the concept is right, 1024-bit rsa keys are kind of scary. And DNSSEC doesn't address confidentiality, but TLS with SNI also leaks hostnames.