Since the cert log is public, all of this is auditable, as indeed the OP audited it.
Should there be some formal/official mechanism of auditing _every_ EV issued?
Perhaps cert authorities should be required to pay for an auditor to audit their certs -- not just the process or a sampling of certs, but automated auditing of every cert. The problem with this of course is the usual 'auditor capture', if the auditor is getting paid by the entity getting audited, the incentive is not to continually approve the auditing, but to make all the audits pass.
In some sense, this is a success story -- the transparency of the cert issuing log allowed the OP to choose to audit some of them, voluntarily. But transparency of the cert log clearly isn't enough, it's been years of bad certs before someone decided to volunteer their time to audit some of them. Just transparency isn't enough without social/business structures in place such that they actually _are_ being checked.
(This has parallels/analogies with other things...)
this is what Extended Validation is supposed to mean in the first place.. and lends credence to the argument that EV solves a problem that shouldn't exist to begin with for 'regular' certs
No, I am not talking about what EV is supposed to mean in the first place.
EV, in contrary to ordinary certs, is supposed to mean the cert authority verified the registrant really is the name on the cert. Ordinary certs the CA doesn't even claim they did that, they don't even claim that a Cert that says Joe Smith on it was registered by someone who's legal name is Joe Smith or a cert that says Widgets Inc on it was registered by a company with that name. The CA's are claiming to do a different thing with EV certs.
I am talking about a third-party auditing the EV certs to ensure the CA was doing what they committed to do. Like a third party audits a bank by analogy. The fact that banks get audited doesn't mean the bank is useless in the first place. But the auditors do (theoretically if the system is working) help keep them honest.
One of the points of the transparent log is to make this possible. But if nobody is actually checking... it is not quite accomplishing this point. The fact that a transparent log is a good thing so someone can audit doesn't mean the EV is "useless in the first place".
(An EV might be useless in the first place for other reasons, but not because auditing is a good thing).
Should there be some formal/official mechanism of auditing _every_ EV issued?
Perhaps cert authorities should be required to pay for an auditor to audit their certs -- not just the process or a sampling of certs, but automated auditing of every cert. The problem with this of course is the usual 'auditor capture', if the auditor is getting paid by the entity getting audited, the incentive is not to continually approve the auditing, but to make all the audits pass.
In some sense, this is a success story -- the transparency of the cert issuing log allowed the OP to choose to audit some of them, voluntarily. But transparency of the cert log clearly isn't enough, it's been years of bad certs before someone decided to volunteer their time to audit some of them. Just transparency isn't enough without social/business structures in place such that they actually _are_ being checked.
(This has parallels/analogies with other things...)