My company pays for an EV certificate, and we pin our clients to expect EV certificates in the corresponding domain names.
This gets us most of the benefits of standard certificate pinning without coupling us to any specific private key or certificate vendor.
The theory is that it’s hard(er) to fraudulently get an EV certificate issued, although—having gone through the process—it does not strike me as super secure against a determined adversary.
This gets us most of the benefits of standard certificate pinning without coupling us to any specific private key or certificate vendor.
The theory is that it’s hard(er) to fraudulently get an EV certificate issued, although—having gone through the process—it does not strike me as super secure against a determined adversary.