Comment by crote
21 hours ago
What's the alternative, showing the company's unique registration ID?
CAs invented EVs because the wanted to sell something which could make them more money than DVs. The fact that company names aren't unique means that the whole concept was fundamentally flawed from the start: there is no identifier which is both human-readable and guaranteed to uniquely identify an entity. They wanted to sell something which can't exist. The closest thing we have got is... domain names.
The alternative would have been to have the CA use human judgement when approving EV certificates and reject applications from organizations whose names shadowed better-known firms, or to only accept applications from a select set of organizations (like, say, banks). But either of those possibilities would have increased the cost of the program and limited the pool of applicants, so CAs chose the cheap, easy path which led to EV certificates becoming meaningless.
How many CAs do you think there are? How many countries do you think they operate in?
Maybe we could augment the old EV cert indicator with a flag icon, but now there's yet another thing that users have to pay attention to. Maybe the CA/Browser Forum could run a clearinghouse for company names, but apart from trivial examples, there might very well be legitimate cases of two companies with the same name in the same country, just in different industries. Now do we augment the indicator with an industry icon too? Then the company changes its name, or forms a subsidiary relationship, or what have you. Now do we need to put "Meta (formerly Facebook)" or "Facebook (division of Meta)" etc. in the name?
There's just so many problems with the EV cert approach at Internet scale and they're largely beyond solvable with current infrastructure and end-user expectations.
How do you decide when a company is "well-known"? What's going to happen when there are two well-known companies with the same name or a very similar name? What if a well-known company in country A expands to country B, where a well-known company with that name (but active in a different industry) already exists? How are you going to deal with subsidiaries which are both legally and organizationally separate? Who gets to keep the EV when a company spins off a division but both parts retain the same name?
"Use human judgement" might work for trivial examples of fraud, but it quickly breaks down once you try applying it to the real world. Besides, how are you going to apply the same "human judgement" across hundreds of employees at dozens of CAs? If anything, you're just begging to get sued by large corporations whose complex situation fell on the wrong side of your human judgement.