To understand the differences of the three types of SSL certificates—Domain Validated (DV), Organization Validated (OV), and Extended Validation (EV)—it is helpful to understand what certificates are and how certificates are issued by authorized Certificate Authorities (CAs) like DigiCert. CAs are trusted third parties that issue TLS/SSL certificates by verifying identity details of a website owner. The only way to see these details is to look beyond the lock in the address bar.
TLS/SSL certificates are two things. First, they provide a secure connection between a website by encrypting the data that is passed between users and the domain. Secondly, certificates verify the ownership and identity of the business or person that owns the URL. Just as a certificate would in the physical world, a digital certificate is essentially certifying your right to represent your business or organization online.
The names of each SSL certificate type represent the validation steps that took place before issuance of the certificate. For example, Domain Validated certificates refer to the simple verification of the owner of a URL, whereas Organization Validated certificates verify the domain owner and authenticate the business organization affiliated with the URL. Extended Validation certificates are high assurance identity certificates because they require verification of the domain owner, business organization and the legal entity of the business involved.
At the DV level, the process is fairly short, requiring the buyer to only demonstrate control of the domain or URL. This is done by the CA sending an email to the domain owner (as listed in the WHOIS database). While convenient if you need a certificate right away, this one-check form of validation is the lowest standard on the Internet—and should be trusted accordingly.
What distinguishes OV & EV certificates are the extra layers and steps of validation required to obtain them. For both EV & OV certificates CAs must verify the domain owner as well as several details related to the affiliated business including name, type, status, and physical address.
With EV, nine additional steps are required including verifying a businesses’ public phone number, length of time in business, registration number and jurisdiction, as well as a domain fraud check, contact blacklist check and a telephone call to authenticate the employment status of the requestor.
From zero-assurance to high-assurance certificates, here’s how the validation
process matches the brand security you expect while using the web.
Every TLS/SSL certificate type signals to customers the level of organization identity you’ve attached with your certificate, in addition to certifying that a website is encrypted.
Domain Validated (DV) certificates provide the lowest level of authentication, meaning anonymous entities can get a certificate. Jane Does meander at this level.
Organization Validated (OV) certificates provide additional checks to ensure brand protections. Jane Doe can no longer hide in the shadows at this level.
Extended Validation (EV) certificates guarantee the highest standard of brand protections. With EV, brands signal a commitment to customers that transaction are secure. Jane Doe is thoroughly identified.
Domain Validated (DV) certificates are the least-identity-validated SSL certificates and can be obtained quickly and easily—even by a malicious bot. These certificates are low-cost certificates that only require validation that a company or person can demonstrate control over a web domain for which they want to secure a certificate.
To obtain a DV certificate, a website owner only verifies domain ownership via an email to the WHOIS record. When you look beyond the lock of a DV certificate you will not see any organization details. DV certificates are the minimum viable product for encrypting websites.
Types of websites that use DV certificates:
Organization Validated (OV) certificates are authenticated with nine validation checks and are considered a mid-level business certificate. With OV certificates, CAs authenticate domain ownership similar to DV certificates. But when you look beyond the lock of an OV certificate you will find more details about the company that owns the website.
What distinguishes OV from DV is the steps taken by CAs to authenticate that the business organization (ie. Inc., Corp, LLC, Ltd, Pty Ltd, etc.) affiliated with the certificate is valid and remains in good standing.
Best used on these websites and pages:
Extended Validation (EV) certificates provide the highest level of brand identity security and are authenticated with 16 validation checks. When you look beyond the lock of an EV certificate you will immediately find details about the company or parent company that owns the website.
In addition to all of the authentication steps CAs take for DV and OV certificates, EV certificates require vetting of the business organization’s operational existence, physical address and a telephone call to verify the employment status of the requestor.
Best used on these websites and pages:
The DigiCert Validation team rejects approximately 3,750 EV certificates every year in some part due to fraudulent requests.
By clicking on the padlock icon in the URL bar you can verify the identity of the website owner. Unfortunately, most phishing sites today have a padlock and a DV certificate. That's why it's important to look beyond the lock in the URL bar. If a website is not willing to put their identity in the certificate, you shouldn't be willing to share any identifying information with them. If you see the organization's name, now you can make a better decision about who you trust.
The European Union has been a staunch advocate for stronger online security standards to increase user trust and authenticity on the internet. In 2015, the European Commission passed the Payment Services Directive, also known as PSD2, to regulate payment transactions, create a more integrated European payment services market, as well as protect consumers by making payments safer and more secure. PSD2 became effective in January 2018 and requires banks and other online payment service providers to use Qualified Certificates—which are legally binding electronic signatures and even more difficult to obtain than an EV certificate.
As the internet evolves and identity standards are increasingly compromised online, DigiCert takes an active role in the Certification Authority Browser (CA/B) Forum to advocate for higher identity assurances online. Because an authentic online identity should be just as important in the digital world, as it is in the physical world. And in today’s digitally connected world, the erosion of online identities will have an adverse effect on the public trust we aspire to uphold.