[account42]

> "I don't care who is using my API as long as they are a company" is indeed a very stupid access model, but then I think the problem is deeper than just cert validation

It's not stupid if you reframe it as "you can only use my API if you give me a cryptographically verifiable trace to your legal identity".

[xg15]

That's true if it worked, but I think there was the problem that EV names aren't always enough to trace back the legal entity? At least that's what I read, it might be wrong.