[poguemahoney]

I think you've left out the ecosystem of semi-scam, without that the decisions look less logical.. If you go and add a private rootCA to all your servers there are risks. You can convince yourself the risks are covered, you can convince a highly qualified security analyst. Can you convince a business intern with a checklist hired by a certification firm that underbid the one with specialists? 30K to engage with no one on the topic starts to look ideal.

[bruce511]

I'm not sure the alternative is sef-created RootCA. (But perhaps I don't understand the underlying case.)

To me, the alternative is just a LE cert. Can do wildcards via DNS challenge.

[poguemahoney]

I was replying in the context of what you were replying to where they either could spend 30k or make a private root. I'm not sure they were actually using EV but for it to cost $30k and given the topic of the thread it seems plausible they were using some technicality on EV or similar to reduce public domain validation requirements.