> This key belongs to the owner of this domain name AND this domain name matches this business name.
Instead, an EV cert comes with an extra name (the official business name) and then asserts:
> This key belongs to the owner of this domain name AND this key belongs to the owner of this other business name
Hence you get the image [1] of a website www.thesslstore.com but EV business name 'Rapid Web Services LLC'. Should that really mean that this counts as a 'verfied' domain that gets a tick-mark?
That said, switching to a system more like the first assertion, and going with the 'verified' tick mark could work. It would make validating EV certs a lot harder though, as it requires a more subjective judgement to make. (e.g. could you validate windows.com for the company microsoft? What about youtu.be for youtube) Making a wrong judgement here should look pretty bad for a cert-issuer.
[1] https://www.troyhunt.com/content/images/2019/08/image-4.png
- Using trademarks (this fixes the US issue of per-state homonym attacks).
- Not including the domain in the certificate at all. If an identity is verified, it's verified. Why limit where it can be used, or try and assert some unrelated fact?
The SSL Store (Computer Services) [US]
I strongly disagree. It is still a domain that is entered into the URL box. On the web, websites are defined by their domain name. That is the thing I want verified. For EV I also want verification the domain name matches a company that should have that name. But the core thing is a domain name.