True - the purpose was to authenticate, not just encrypt. Years ago, every CA had additional tiers of authentication for certificates that included all sorts of ID checks, corporate records, etc. The idea was that businesses would pay extra for a certificate that guaranteed they were the legitimate brand. However, users couldn't easily differentiate between these levels, so there was no point.

Now people have come to realize a cert basically ties a service to a domain name and that is basically the best you can do in most cases.

> The idea was that businesses would pay extra for a certificate that guaranteed they were the legitimate brand

I really liked that functionality, it made sense to me

I dont. Putting the decision of who is a "legitimate brand" shouldn't be in the hand of a private company or bureaucratic government. The concept is ripe for discrimination at pretty much every step.

What are you trying to say?

A company only exists as legal fiction created by government bureaucrats.

Governments regularly issue documents about these companies, I.e. certificate of incorporation.

How is this any different?

Have you seen the corporate names companies use? they're quite opaque and indistinguishable from similarly sounding ones.

This is often cited as the reason (but there are plenty more):

https://en.wikipedia.org/wiki/Man-in-the-middle_attack

If the CA's are doing their jobs...then FirstBank.com can get a cert for their web site. But the gang who rooted a bunch of home routers (or hacked a WiFi setup, or whatever) can't.

If not...then yeah, that's the problem.