The problem is simply corruption. DigiCert and the like buy up the competition and entrench themselves where there is no business or technical need for their existence.
It's pure rent seeking with approximately zero value provided in exchange.
Let's Encrypt demonstrated that the marginal cost of a certificate is close enough to $0 to round down to precisely zero dollars.
To see how deeply rooted this corruption is -- and it is corruption -- ask any major cloud provider like Azure or AWS whether they are willing to provide native ACME protocol integration to enable their customers to request Let's Encrypt certificates for arbitrary DNS-hosted services.
You'll hear nothing back. "No comment" or "We're considering it".
In other words: "We considered it, but then our boss's boss made it very clear to our boss that he was getting a kick-back from DigiCert and to never mention such topics ever again."
AFAIK, while EV certificates don't verify much, they do create a "chain of custody" leading back to a real "notary"-type person who registered the cert, and from there, to a real person who applied for the cert, who can be contacted using information held by the notary (esp. by law enforcement.) It's pretty hard to register an EV cert, use it to spoof someone else's domain, and then not get in trouble.
...at least, it's pretty hard if your CA is located in a Western country. Which is the big loophole here. The fact that we trust CAs headquartered in arbitrary potentially-unfriendly countries, to make claims about the entire space of domains, is pretty silly. Trusting e.g. the Russian CAs in the trust-store only when they make claims about .ru domains (a.k.a. the X.509 Name Constraint extension), would obviate a lot of the concerns people have about X.509's centrally-curated trust store model.
EV certificates have no tie to a person. They have a tie to a corporate entity, which especially in Western countries, is basically intractable to an actual person. It takes a few minutes and $100 to create an anonymous LLC in the US.
> To check the organization's physical existence and business presence, the Certificate Authority must verify that the physical address provided by the Applicant is an address where the organization conducts business operations (not a mail drop, P.O. box or an address for an agent of the Organization). This address will be included into the body of the SSL certificate after verification.
That effectively translates to "there should be an address that criminal investigators can be sent to find and detain employees of the company."
> [Criterion 4] Operational existence
> To make sure that an organization is financially active and engaged in business activities, the Certificate Authority must verify that at least one of the following requirements is met:
> The Organization has been in existence for at least three years
> The Organization is registered in the Dun & Bradstreet database or Qualified Government Tax database
> The Organization has an active demand deposit account which can be proved by a bank statement.
That effectively translates to "you can't just make up an LLC and immediately get an EV cert for it, even if you do tell them your house is the headquarters. You'd have to put a good amount of time and effort into simulating a real business. So much that, if this were a spoofing attempt, you'd be noticed as in breach of trademark by the company you're trying to spoof, long before you got away with it."
> Professional Opinion Letter
> If you need to obtain an EV certificate urgently or prefer keeping the company details confidential, it is possible to send a professional opinion letter signed by a Lawyer, Public Notary or Certified Public Accountant. The person who signed the legal opinion or accountant letter should have a valid license within the country where the organization is registered or the country where the organization maintains an office or a physical facility. To expedite the validation process, we highly recommend requesting a Professional Opinion from a person who speaks English so that he or she can confirm the signature during phone verification with a Comodo (now Sectigo CA) validation agent.
And this, finally, translates to "you can mask your identity, but only behind someone who's notoriously signed a Code of Ethics that requires them to surrender your identity to criminal investigators when asked, without needing a subpoena."
Respectfully, you have a very optimistic view of how this plays out in practice, or even just from what is written in that article. Having obtained several EV certificates for "Stripe Inc", a company I created for $100 on the internet, this is a very basic process with very minimal safeguards. For example, Dun & Bradstreet really does not verify anything at all in its database, and most of the system is based around it for US-based certificates.
It's pure rent seeking with approximately zero value provided in exchange.
Let's Encrypt demonstrated that the marginal cost of a certificate is close enough to $0 to round down to precisely zero dollars.
To see how deeply rooted this corruption is -- and it is corruption -- ask any major cloud provider like Azure or AWS whether they are willing to provide native ACME protocol integration to enable their customers to request Let's Encrypt certificates for arbitrary DNS-hosted services.
You'll hear nothing back. "No comment" or "We're considering it".
In other words: "We considered it, but then our boss's boss made it very clear to our boss that he was getting a kick-back from DigiCert and to never mention such topics ever again."