There is an obvious fix to this...
Comodo's CEO is correct only in that the browser makers need to assert more control over the SSL CA industry with the processes it follows and that Certificate Authorities reduce costs by reducing verification efforts. It's ridiculous that he points blame at the Iranian government and blames VeriSign for downing the industry as smokescreens to the real problem... that Comodo actually gave access to it's certificate signing credentials to it's resellers rather than doing the validations themselves.
There is already an easy fix to this scenario and it's called Extended Validation SSL. EV SSL is the ONLY type of SSL that requires a STANDARDIZED set of validation procedures for the Certificate Authority. The CA's procedures are audited and verified annually. Problem is that aside from the green URL bar with EV certs, browsers must differentiate between the different SSL types... DV, OV, and EV. Otherwise most website visitors don't know the difference and will buy the cheapest possible product to display a padlock.
In the end, Certificate Authorities are only trying to keep up with market demand and are not going to self regulate themselves if it means any dip in profit. Maybe Google leading the regulation would be a wise choice here?
Biting the hand that feeds IT
