Many leading companies look to EV to protect their own systems and brand by adhering to the industry’s strongest requirements for identity verification and assurance. In discussions with these companies, DigiCert has found continued interest in our work to strengthen EV as a way to help them protect their users and strengthen their brand promise.
The standards for EV certificates were developed in 2007, and although there have been several updates, there haven’t been any major changes until recently. It’s rare for a security standard to remain relatively unchanged for such a long time, especially as threats continue to evolve. Recently, DigiCert came up with a set of improvements to enhance EV certificates. Over a dinner discussion during one of the face-to-face CA/B Forum meetings, DigiCert and several other Certificate Authorities reviewed that list of enhancements and settled on four standards which all agreed would have not only a positive impact on EV but also a fair chance of passing a CA/B Forum ballot. The four ideas we agreed to discuss in the forum are:
- Require that the CA check the certificate type in the CAA record and respect a CAA policy regarding certificate type prior to issuing. This would mandate that the CA check the CAA record prior to issuance and, for example, if the requestor’s CAA record said they only want EV, the CA could not issue any other type of certificate for that domain.
- Include Legal Entity Identifiers (LEIs) in certificates. LEIs are globally unique registration numbers created under a scheme supervised by the Global Legal Entity Identifier Foundation (GLEIF). Added to EV certificates, they provide a very strong form of identity for global organizations, which can be validated on the GLEIF website.
- Develop a white list of approved data sources to validate EV certificates. Currently, CAs are free to choose whatever authentication source meets the CA/B Forum guidelines. Not all data sources are created equal. This proposal would identify and allow the use of only reputable data sources that are standardized across all CAs to ensure with increasing confidence that the data is correct. DigiCert is the first CA to publish its list of data sources on its website.
- Require CAs to verify a registered trademark/wordmark before issuing an EV certificate and include trademark and brand information in a certificate (as well as the source of validation). Trademarks are globally unique, recognizable, distinguishable and familiar. Consumers recognize and understand them. CAs are in a unique position to validate trademarks and insert them into an EV certificate. Whether a user agent (i.e., browser) decides to use this data is up to them; however, they should be able to rely on the data which the CA has validated.
These were presented at the face-to-face meeting in Thessaloniki, Greece last summer and, for the most part, received positive feedback. There was intense discussion around the trademark idea, and there seemed to be a disagreement as to whether the current guidelines allow inserting trademarks into certificates or not. This was followed up by Mozilla proposing to make it explicit in their root program rules, disallowing trademarks until the forum comes up with clear validation rules. While this continues to play out, there will likely be work in the background to come up with a standard set of validation rules for trademarks.
Since this meeting, other ideas have been tossed around; for example, ensuring the organization has been registered for at least six to nine months prior to allowing it to obtain an EV certificate. Another possibility would be requiring a face-to-face visit prior to issuing a legal opinion letter.The Validation Working Group of the CA/B Forum is the logical next place to discuss these ideas and gather additional community input. If you want to keep up with these discussions and provide input, either join the working group or subscribe to the public list here.