[indymike]

The key to all of this is user awareness, and I'm not sure users care very much. I own a small payment processor, and we've researched this quite a bit: users only really care about if the little clock is present in the URL bar, and they leave if they get warning dialogs. All the other stuff, badges, changing the awesome bar color, have very little effect on users. Users are about 80% sensitive to interruptions that say "not secure" or something else scary.

There are a couple things about certs that are very much arbitrary: expiration date and any user input identification data. CAs try to deal with the identification data by doing some kind of validation, but that has decayed to what amounts to prove you control the domain by doing some trivial thing. Expiration dates, as currently set, serve to ensure that people have to renew their certificates, and prior to Let's Encrypt, this guaranteed recurring revenue for CAs. Expiration dates make sense to ensure that at some point, a compromised certificate would have to be replaced, but the way those dates are set is... very convenient for ARR.