We went to EdgeConf last Saturday. Edge is an invite-only conference for the developers of all the major browsers, standards bodies, authors of common web libraries, and developer relations people from every major web standards organization.
The Chrome team, the Microsoft folks, Mozilla staff, W3C representatives, people from GSM-A, folk from ECMA-262, and the CDNs were there. Edge was a great event and a great deal already seems to be happening already from some of the discussions at that event.
Not everyone involved in the web had a presence at EdgeConf. Out of the hundreds of CAs your OS trusts, zero attended. There only groups in the room involved in issuing certificates were CertSimple and LetsEncrypt.
Listening to web developers and their experiences during both the Security Panel Session and the following Security Breakout there were a number of fairly understandable misconceptions around certificate validation.
This is symptomatic of the current relationship between CAs and developers:
Developers have a lot of questions and want specific, technical answers. CAs yell 'Green bar! Trust!' repeatedly and try and sell them IE5 support or extra visitors by users with browser extensions. This does little to ensure developer confidence in Certificate Authorities or justify the significant price difference between EV certificates and cheap/free DV certificates beyond what the browser displays.
The CA/Browser Forum, a group of all the major CAs and browser makers that create the EV standard, has a tiny official FAQ that omits answers to most of the common questions. You could read the EV spec, comprising the Baseline requirements and EV requirements, but like any spec, they're long, detailed, and some parts of it - like site inspections looking for permanent signage, or steps only relevant for government-departments applying for EV certs - are extremely unlikely to occur in a normal EV process.
The result is that developers often have little insight into the processes behind either DV or EV HTTPS validation.
We're biased: CertSimple only sell EV certificates. Everything you're about to read is referenced in the EV guidelines or baseline requirements.
DV and EV HTTPS are different levels of validations - identity checking - used for SSL certificates.
In the 90s, Certificate Authorities required applicants to go through a long processes of faxing documents back and forth to prove their identity, prior to being issued an SSL certificate.
Over time, one CA dropped the identity checks in favor of having an official-sounding admin address at a domain. The other CAs soon followed suit.
DV (Domain Validation) is the name given retroactively to the most common kind of SSL certificates, where proof of control over a domain is used to issue a certificate for that domain.
EV (Extended Validation) is a newer validation standard requiring proof of the company's identity in addition to control over the domain. Browsers users typically see EV as a green bar with a company name in their address bar.
Browser makers and Certificate Authorities, via the CA/Browser forum
Additional requirements of extended validation are stored in the Extended Validation requirements
All certificates (both EV and domain validated) should follow the Baseline Requirements but since DV certificates existed before the requirements this is not guaranteed.
EV certificates must follow the EV guidelines (which extend the baseline requirements).
No. All encryption algorithms are available for both types of certificate. Security is considered to have three elements:
The confidentiality and integrity of EV certificates is the same as DV certificates.
Yes. The authentication requirements for an EV certificate are higher. EV certificates prove a real-world company: DV certificates prove you own a domain which may or may not represent a real world company.
This is why EV certificates have a different
subject from DV certificates.
It's the thing being attested to by the certificate. In DV's case the subject is a domain, in EV's case it's a legal entity, typically a company but sometimes a registered charity or other legal entity.
Here is a DV cert:
openssl x509 -in domain-validated-example.com.crt -noout -text | grep Subject OU=Domain Control Validated CN=example.com DNS:example.com
Here is an EV cert:
openssl x509 -in extended-validated-example.com.crt -noout -text | grep Subject: jurisdictionOfIncorporationCountryName=GB businessCategory=Private Organization serialNumber=09378892 C=GB ST=City of London L=London O=example Limited CN=example.com DNS:example.com -
Companies in the UK are registered with a UK-wide organization called Companies House. The serialNumber
09378892 in the certificate above is a company registration number from Companies House.
In the USA, organisations are registered on a per-state basis, so serialNumbers in US certificates refer to a company ID at the relevant Secretary of State.
Have a domain - any domain will do. Typically, one of:
whoisfor a domain
The most common method used is 'official looking email address'. The domain can look like another company, but that's not checked. All a DV cert asserts is that you have a domain, not whether the domain represents a particular legal entity.
DV gives you a lock when you connect to
https://bank.com/onlinebanking - since you are genuinely communicating via an encrypted channel to
DV would additionally give you a green lock when you connect to
https://bank.com-onlinebanking.ru, a site that looks similar to bank.com but which is in Russia. The 'origin' in this case is
com-onlinebanking.ru. However - since you are communicating via an encrypted channel to
com-onlinebanking.ru, the lock displays for
https://bank.com-onlinebanking.ru exactly as it would for
This can and has happened before with some of the largest sites on the internet.
There are a few problems here:
For the same reasons you'd want to prove your real worl identity online, including:
Extended validation checks:
In the UK: Companies House, in Israel, the Ministry of Justice, in the US, the local Secretary of State.
Typically, Dun & Bradstreet, Hoovers, White Pages, etc. These can't be self reported: the Qualified Independent Information Source must review the information.
These contact details will be used to contact the company by telephone. A verifying agent from the CA will ask to speak to HR for larger companies. Then the verifying agent will confirm the authority of the admin contact to make decisions on behalf of the company (e.g., get a certificate issued), and speak to the admin contact to make sure they approve of the order. This is designed to stop someone who works for the company from creating their own rogue certificates.
EV requires all the domain names must be in the certificate, and inspected by the CA. If you request a certificate for
bankofamerica.com-othercompany.ru you'll be rejected.
There are no wildcards, but you can have as many domain names as you want. You can also add domain names to a certificate later.
Per the Baseline Requirements, applied to all certificates. These steps are the same as the steps for DV certificates specified above.
Some CAs typically ask an lawyer or accountant to write a letter of attestation, which allows the lawyer/accountant to attest to some aspects of the company, and the CA to do less work. The CA still has to check the lawyer/accountants credentials.
Here's an EV order running from start to finish. Note CertSimple checks your detais before you pay, so CertSimple is a lot faster than other CAs.
No. Thankfully Chrome requires all EV certs issued post January 1 2015 to have certificate transparency. This can be used to stop a CA from issuing certificates for your organisation using someone else's key pair.
Since Chrome has a large market share, this effectively means that all EV certificates must now support Certificate Transparency.
One person at Edge conference thought the EV process seemed too easy. There's a very common, very understandable misconception that we've even had to clarify in our own communication:
Yes, the EV application process asks you for the phone number of a administrative contact. This is not actually used to validate your identity. Here's are common conversations we have with admin contacts:
"You're asking for a Doing Business As name (trading name in the UK) to appear on your EV cert. Can you provide evidence of that name being registered with the government?"
"We've investigated your company and the State of California says you're suspended because you missed a bill. We can't issue your certificate until this is resolved."
PS. CertSimple now check that companies are active during our application process and flag that up before you proceed with your order.
An audience member at EdgeConf noted that YTS.RE, a pirate torrent site, used to have an EV certificate. While the torrent site has since changed domains, this seems to check out: YTS.RE is a registered company in the UK and they have a postal address at a coworking space just near the Old St Roundabout.
Is YTS.re doing something illegal? Yes.
Does that change whether they're allowed to assert that they're definitely YTS.RE Ltd in their EV certificate? No.
SSL validation process concerns identity: this is an entirely separate matter from the ethics of a company. YTS.RE had a certificate because it's a real company, with an office just off the Old St Roundabout in London.
Undoubtedly. EV requires more validation than DV, but it's definitely possible. Improvements to how companies are validated for SSL will likely come as future additions to the EV Specification.
Essentially the cost of EV is the cost of validation. As time goes on, and as there are more CAs, we suspect the competition will increase and the price of EV will go down.
However, the current per-year price of EV is less than a half a single day's work by an average programmer. The current basic per-month cost is a similar price to what companies often already pay for services like GitHub or Trello. This cost is manageable for most businesses.
If you want to prove your companies real-world identity online, CertSimple provides high-assurance EV certificates simply and painlessly - we're the fastest in the world - meaning you can get a high-assurance certificate quickly and painlessly.
Mike MacCana, founder at CertSimple.
An EV HTTPS certificate verifies the company behind your website. But getting verified is a slow painful process. CertSimple provides EV HTTPS certificates 40x faster than other vendors. We check your company registration, network details, physical address and flag common errors before you pay us, provide verification steps specific for your company, update in realtime during the process, and even check your infrastructure to help you set up HTTPS securely.
Verify your site now!