[majelix]

> Business validation is optional and doesn't enhance the transport-layer security benefits of using SSL.

Except that SSL isn't just about transport-layer security, it's also about identity. The entire model of SSL breaks down if anyone can buy a certificate for anything.

[sdfjkl]

Except the identity part is well and truly fucked and in serious need of redoing. It relies on trusted CAs, which has been shown is a bad idea, because some of the trusted CAs mismanaged their private keys or have been paid to or been coerced into giving out valid certificates to third parties, permitting them to impersonate websites.

[asdasf]

Which browser makes it clear to the user that some unknown organization has "verified" the business hosting the domain they are at? All a user sees is a little lock, no matter what cert you buy.

[baudehlo]

EV Certs show the company identity, which has been verified. Go to paypal for an example.

[asdasf]

Where? Changing the color of the lock? That's the whole point, users have absolutely no idea that means anything, they can not differentiate between certs.