I'm not underestimating how hard the problem is, I'm complaining that people are taking the difficulty as an excuse to pretend it does not exist, or to treat it as unsolvable.
I'm not saying it's easy in real life, I'm saying it's largely solved in real life. There is a big difference between those two ideas.
The difficulty was part of how it was solved. In addition to the physical difficulty of setting up a store, businesses have to be registered and licensed by state and local authorities. The purpose of the EV cert (and the OV cert, really) was to tie web trust back to that same regulatory infrastructure. If you have a problem with a site using an EV cert, you can look up the company info in the cert and contact their local authorities.
The purpose of the EV cert (and the OV cert, really) was to tie web trust back to that same regulatory infrastructure.
Except the only way to get what you want using EV is to force literally every site on the internet to go through the EV cert process. Otherwise, somebody's going to go get a "less verified" cert, set up an impostor site and phish people.
Is that really the world you want? Is that the price you're willing to pay to get it?
> Except the only way to get what you want using EV is to force literally every site on the internet to go through the EV cert process.
No it's not. There are a lot of ways to physically sell things without setting up a retail establishment. You can drag a box out onto the sidewalk and sell sunglasses to people; you can host a yard sale, you can set up at a flea market, you use a classified ad or Craigslist, you can sell through MLM, etc. Customers will calibrate their level of trust based on the experience you provide.
Operating a physical retail store (or a bank branch, or a restaurant, etc) carries with it an implicit promise of trust to the customer, and it's a promise that is backed by social and legal conventions.
So there's a range of experiences and implied trust in physical life, and it's fine if there is a range online. Site operators could choose the level of trust they're willing to invest in providing.
> Otherwise, somebody's going to go get a "less verified" cert, set up an impostor site and phish people.
That's only true if browsers make less verified certs look the same as more verified certs, which is what they are doing. It's a self-fulfilling prophecy. Now every site looks like a guy with a box on the sidewalk.
That's only true if browsers make less verified certs look the same as more verified certs
Given that decades of user research overwhelmingly indicates that the average web user does not understand the components of the browser URL bar, and in many cases those users are completely unaware there even is useful information there, I'm going to bow out of this, because you're now into territory where you need to forcibly educate every single person on earth to understand the URL bar.
(and you're "only" now requiring that every single person who will ever do business of any sort must pay up for an EV cert, but that's actually less of a problem than trying to force people to understand what an EV cert is and how to tell if a site has one)
I think people have just developed a weird blindness about the possibilities of user interface in browsers. There's no reason browsers could not have created all sorts of interesting user experiences with the validated business information in EV and OV certs.
I'm not saying it's easy in real life, I'm saying it's largely solved in real life. There is a big difference between those two ideas.
The difficulty was part of how it was solved. In addition to the physical difficulty of setting up a store, businesses have to be registered and licensed by state and local authorities. The purpose of the EV cert (and the OV cert, really) was to tie web trust back to that same regulatory infrastructure. If you have a problem with a site using an EV cert, you can look up the company info in the cert and contact their local authorities.