> EV no longer skips smartscreen either nowadays. I understand that was abused

EV was always going to be abused. It started out promising to be a human verified, $10k cert that meant you were GUARANTEED to be who it said you were. Now I can get one for a couple hundred bucks.

The solution is to separate identity from encryption. They never should have been linked.

>There's no way to avoid that AFAICT and even if you're an established business you hit it at intervals because all these certificates expire and so the whole process resets every few years anyway. What a mess.

Maybe have overlapping sets of certificates and dual sign your binaries? That way there's always an "aged" certificate available.

> EV no longer skips smartscreen either nowadays.

Not sure of the exact number, but the "nowadays" here is more than a decade.