[xg15]

> A public CA checks it one-time, when it's being issued.

That's the same problem we have with server certs, and the general solution seems to be "shorter cert lifetimes".

> Worse still, some APIs (mainly for finance companies) require things like OV and EV, but of course they couldn't check the Subject DN if they wanted to.

Not an expert there, but isn't the point of EV that the CA verified the "real life entity" that requested the cert? So then it depends on what kind of access model the finance company was specifying for its API. "I don't care who is using my API as long as they are a company" is indeed a very stupid access model, but then I think the problem is deeper than just cert validation.

[account42]

> "I don't care who is using my API as long as they are a company" is indeed a very stupid access model, but then I think the problem is deeper than just cert validation

It's not stupid if you reframe it as "you can only use my API if you give me a cryptographically verifiable trace to your legal identity".

[xg15]

That's true if it worked, but I think there was the problem that EV names aren't always enough to trace back the legal entity? At least that's what I read, it might be wrong.

[bawolff]

> That's the same problem we have with server certs, and the general solution seems to be "shorter cert lifetimes".

No it isn't, and that's not the reason why cert lifetimes are getting smaller.

Cert lifetimes being smaller is to combat certs being stolen, not man in the middle attacks.

[nickf]

Not really, no. There are a number of reasons for cert lifetimes being made shorter.