I just wish they wouldn't confuse encryption with authenticity.
If the higher ups want web connections to be secure, why not just bake in basic encryption into HTTP? Granted this would provide no authenticity, but it would provide encryption. Think self-signed certificates without the scary warning.
I'm all for securing things and providing security. But I just don't know if this certificate and certification validation requirement is the right path.