Why we don't sell domain validated HTTPS certificates

When we first announced we were starting a company focused on extended validation SSL, a frequent question from others was: why EV?

Only a small portion of websites currently use EV certificates, and Domain Validated (DV) SSL certificates are far more common.

The minimal requirements of domain validation can be completely automated, making DV certificates far easier for the SSL vendor to process.

So why don't CertSimple sell domain validated certificates?

Domain Validated SSL won't make you live a lonely, sad and colorless life but there's a good reason that browsers show the additional markers for extended validation certificates.

Domain Validated certificates don't check who you are.

Yes, really. You can get a domain validated certificate for a domain like somecompanysupport.com, even though you have nothing to do with Some Company, and it's considered fine. Here's records of people obtaining domain validated SSL certs for https://google.com.mg and https://google.com.im.

Domain validation does not assert that the certificate has anything to do with Some Company - even if the domain seems like it does have something to do with some company. Domain validation has no requirement to check the domain name matches any legal entity.

In short: no EV === no identity checks.

You'll frequently see fraud sites registering official-sounding domain names that include common brands, and then settting up fake sites on those domains to collect user's passwords. The fraudsters are able to obtain DV SSL certificates despite not having anything to do with the brand because DV doesn't assert identity.

Encryption only has value when you know who you're talking to. Encrypting your secrets with a public key in a certificate won't make a difference unless you know who that public key belongs to.

The EV requirements make companies applying for certificates actually prove that a specific legal entity is actually applying for the certificate. That legal entity is then incorporated into the certificate and shown in browsers.

DV certificates allow 'yourbank.com.othercompany.com' to display a lock in older browsers.

DV SSL also allows someone to register '*.com.othercompany.com' wildcard and then create 'yourbank.com.othercompany.com' and have this domain name display a green lock in older browsers.

With EV, wildcards are banned. Instead, every fully qualified domain name is explictly mentioned in the certificate, and every domain name is reviewed by the CA before the certificate is issued or rejected.

Domain validated SSL shows a grayed out, hollow lock in Microsoft Edge

Microsoft's newest browser shows a grayed out, hollow lock when encountering domain validated SSL.

An EV certificate will display a full green lock.

DV providers don't need to provide OCSP

If you ever need to revoke a compromised or misissued certificate, OCSP, the modern (and more scalable) certificate revocation mechanism, is a mandatory part of the EV spec.

DV providers don't need to provide certificate transparency

Certificate Transparency is a mechnism to make new certificates issued by CAs public. The intention is to prevent misissued certificates, i.e., certifictes created for a keypair that doesn't belong to the organization that owns the certificate.

Certificate Transparency is not an official part of the EV requirements, but Google requires Certificate Transparency in Chrome for all EV certificates. Since Chrome is one of the most popular browsers, the practical effect is that all EV Certificate providers must now provide certificate transparency.

EV isn't perfect, but the trend is towards greater identity assurance for SSL.

EV isn't perfect. There are flaws in the EV validation process, and attacks against EV exist, typically replacing them with domain validated certificates via man-in-the-middle attacks using browser exploits.

Additionally, EV, like offline forms of identification, does not assure the entity being verified is a good company to do business with: merely that they are that company. Your passport, for example, doesn't prove that you're a nice person. Communicating this to end users is a challenge: even well known network engineers have been confused by this. Having an EV cert doesn't mean that you're good, it just means you are who you say you are.

However EV is specifically designed to be a stronger assurance of identity and the trend is towards more identity assurance rather than less. EV has been growing rapidly in the last few years and EV will have an compound annual growth of 32.52% percent to 2019.

The only mechanism to check a certificate matches a legal entity is EV. Newer requirements around checking a certificate matches a legal entity will come as additions to the EV requirements.

Domain names aren't identity. Users encrypt your traffic so that someone in particular can read it, but with domain validation they don't know who that someone is.

EV is how SSL should have always been.