[tialaramex]

Well this is a fun game though isn't it. If a firm of lawyers sues you "on behalf of Bank of America", at what point do you feel like they didn't check properly who their client was and so they are responsible for the bogus lawsuit and the resulting costs not this enormous corporation?

If only the manager of a local BoA branch told them they were hired?

How about if it's an assistant manager?

How about if rather than meeting them in the branch, the supposed assistant manager was in the area and so dropped in to the law office in person?

The attorneys weren't available, so, they did a Zoom call?

Just a phone call?

Actually it was an email.

At some point, you realise, wait, they didn't actually validate anything of value here did they, anybody could be this supposed "Bank of America". And the reality is that PKIX certificates began that slide essentially immediately, before even the PKIX working group was set up.

And this is only half of the problem. It's easy for Bank of America because we're both thinking of the same entity, but "Big Bob's" might be a burger restaurant in your city, a private security firm in mine, and an LA law firm, so a certificate for "Big Bob's" doesn't even "validate" a name we're agreed on. That's why DNS ends up mattering, the DNS offers a single global namespace.

[xg15]

Come on, that's not how it works. There are specific, well-defined circumstances that define what a particular legal entity (such as a company or a corporation) is and who may or may not act on its behalf.

Otherwise, any kind of company could escape responsibility by simply pretending it doesn't exist and every employee just acted on their own.

[tialaramex]

But which one is "not how it works" ?

As I said, for the DNS validation we actually have pretty specific technical rules today, the "Ten Blessed Methods" (well, their modern successors) which is why we're talking about one of those methods here (tls-alpn-01 is method 3.2.2.4.20)

Today there are rules for EV but they're understandably vague, because they're talking about the problem we addressed above, eventually they get down this idea of a "Principal Individual" which can include "an employee" who is merely "authorised to conduct business" on behalf of (in our example) Bank of America and of course you're back to square one. How can we know they're authorised ?

The trick in the DNS validation is that we're asking a question machines could potentially have an authoritative answer to. Does this applicant control this DNS name. Not "Should they?". Not to "Are they authorised?" but specifically do they control it.

The non-DNS validation can't do that.