Logo

PKI Consortium blog

Posts by tag EV

    What Are the Different Types of SSL Certificates?
    August 7, 2013 by Dean Coclin DV Encryption EV Identity Phishing SSL/TLS

    Domain Validation (DV)

    A Domain Validated SSL certificate is issued after proof that the owner has the right to use their domain is established. This is typically done by the CA sending an email to the domain owner (as listed in a WHOIS database). Once the owner responds, the certificate is issued. Many CAs perform additional fraud checks to minimize issuance of a certificate to a domain which may be similar to a high value domain (i.e. Micros0ft.com, g00gle.com, b0fay.com). The certificate only contains the domain name. Because of the minimal checks performed, this certificate is typically issued quicker than other types of certificates. While the browser displays a padlock, examination of the certificate will not show the company name as this was not validated.

    CAs Support Standards and Regulations
    May 10, 2013 by Bruce Morton (Entrust) CA/Browser Forum CASC CICA ETSI EV SSL/TLS WebTrust

    There is an industry myth that certification authorities (CAs) are not regulated. In fact publicly-trusted SSL CAs support the development of industry regulations and have been audited annually to ensure compliance to the many requirements.

    To provide some history, SSL CAs have always self-policed themselves by having external audits performed. In the ‘90s, the CAs wrote certificate policies and certification practice statements requiring annual compliance audits. Since there were no CA audit criteria, the CAs contracted for SAS 70 audits.

    Self-Signed Certificates Don’t Deliver Trust
    April 2, 2013 by Bruce Morton (Entrust) CRL DV EV NIST OCSP Policy SSL/TLS

    We’ve heard the argument that website operators could just use self-signed certificates. They are easy to issue and they are “free.” Before issuing self-signed certificates, it’s a good idea to examine the trust and security model. You should also compare self-signed certificates to the publicly trusted certification authority (CA) model; and then make your own decision.

    Self-Signed Certificate Model

    • Owner says who they are
    • Owner issues on their own policy
    • Owner is responsible for quality
    • Owner may not follow industry guidelines
    • Owner may not provide certificate status
    • Compromised certificates may not be able to be revoked
    • Owner is not audited
    • Issuer of certificate may not be authorized by the domain owner
    • Certificates may not be renewed if there are no reminders
    • Self-signed certificate model does not provide trust and the browser provides a trust dialogue box to indicate such

    Publicly-Trusted CA-Signed Certificate Model

    • CA verifies the owner of the domain and the certificate applicant
    • CA operates to a policy in conformance with the requirements of the browser and operating system vendors. The requirements include the CA/Browser Forum Baseline Requirements, Extended validation (EV) Guidelines and recommendations from NIST.
    • CA provides quality to the certificate. Checks include compromised keys, minimum key size, ensuring hashing algorithms, maximum validity period and proper certificate extensions.
    • CA updates policy based on industry best practices
    • CA provides certificate status through CRL and OCSP
    • Compromised certificates can be revoked
    • CA is audited to certificate issuing criteria such as WebTrust for CA, WebTrust for EV and SSL Baseline Requirements
    • Certificate requesters for a Domain validated certificate are authorized by the owner of the domain. Requesters for Organization and Extended Validation certificates are authorized by a member of the organization specified in the certificate.
    • CAs provide multiple reminders to ensure the certificates are renewed before they expire. CAs may also provide certificate discovery tools to find certificates on your systems which may not have reminders.
    • Publicly trusted CA model is based on the CA being a trusted third party to the browser/OS vendor, the website certificate subscriber and the end-users of the website. The CA is obligated to meet the requirements of all three parties.

    So, when should you use a self-signed certificate?

    When trust, security, service, quality and reliability are not your criteria.

    Participate in our community discussions and/or join the consortium