PKI Consortium blog
Posts by tag EV
What Are the Different Types of SSL Certificates?
August 7, 2013 by
Dean Coclin
DV
Encryption
EV
Identity
Phishing
SSL/TLS
Domain Validation (DV) A Domain Validated SSL certificate is issued after proof that the owner has the right to use their domain is established. This is typically done by the CA sending an email to the domain owner (as listed in a WHOIS database). Once the owner responds, the certificate is issued. Many CAs perform additional fraud checks to minimize issuance of a certificate to a domain which may be similar to a high value domain (i.
CAs Support Standards and Regulations
May 10, 2013 by
Bruce Morton
(Entrust)
CA/Browser Forum
CASC
CICA
ETSI
EV
SSL/TLS
WebTrust
There is an industry myth that certification authorities (CAs) are not regulated. In fact publicly-trusted SSL CAs support the development of industry regulations and have been audited annually to ensure compliance to the many requirements.
To provide some history, SSL CAs have always self-policed themselves by having external audits performed. In the ‘90s, the CAs wrote certificate policies and certification practice statements requiring annual compliance audits. Since there were no CA audit criteria, the CAs contracted for SAS 70 audits.
Self-Signed Certificates Don’t Deliver Trust
April 2, 2013 by
Bruce Morton
(Entrust)
CRL
DV
EV
NIST
OCSP
Policy
SSL/TLS
We’ve heard the argument that website operators could just use self-signed certificates. They are easy to issue and they are “free.” Before issuing self-signed certificates, it’s a good idea to examine the trust and security model. You should also compare self-signed certificates to the publicly trusted certification authority (CA) model; and then make your own decision.
Self-Signed Certificate Model Owner says who they are Owner issues on their own policy Owner is responsible for quality Owner may not follow industry guidelines Owner may not provide certificate status Compromised certificates may not be able to be revoked Owner is not audited Issuer of certificate may not be authorized by the domain owner Certificates may not be renewed if there are no reminders Self-signed certificate model does not provide trust and the browser provides a trust dialogue box to indicate such Publicly-Trusted CA-Signed Certificate Model CA verifies the owner of the domain and the certificate applicant CA operates to a policy in conformance with the requirements of the browser and operating system vendors.