Many leading companies look to EV to protect their own systems and brand by adhering to the industry’s strongest requirements for identity verification and assurance. In discussions with these companies, DigiCert has found continued interest in our work to strengthen EV as a way to help them protect their users and strengthen their brand promise.
The standards for EV certificates were developed in 2007, and although there have been several updates, there haven’t been any major changes until recently. It’s rare for a security standard to remain relatively unchanged for such a long time, especially as threats continue to evolve. Recently, DigiCert came up with a set of improvements to enhance EV certificates. Over a dinner discussion during one of the face-to-face CA/B Forum meetings, DigiCert and several other Certificate Authorities reviewed that list of enhancements and settled on four standards which all agreed would have not only a positive impact on EV but also a fair chance of passing a CA/B Forum ballot. The four ideas we agreed to discuss in the forum are:
These were presented at the face-to-face meeting in Thessaloniki, Greece last summer and, for the most part, received positive feedback. There was intense discussion around the trademark idea, and there seemed to be a disagreement as to whether the current guidelines allow inserting trademarks into certificates or not. This was followed up by Mozilla proposing to make it explicit in their root program rules, disallowing trademarks until the forum comes up with clear validation rules. While this continues to play out, there will likely be work in the background to come up with a standard set of validation rules for trademarks.
Since this meeting, other ideas have been tossed around; for example, ensuring the organization has been registered for at least six to nine months prior to allowing it to obtain an EV certificate. Another possibility would be requiring a face-to-face visit prior to issuing a legal opinion letter.The Validation Working Group of the CA/B Forum is the logical next place to discuss these ideas and gather additional community input. If you want to keep up with these discussions and provide input, either join the working group or subscribe to the public list here.