Many top firms rely on Extended Validation to safeguard their own systems and brand by following the industry’s strictest identity verification and assurance criteria. DigiCert has found continuous interest in our work to reinforce EV in discussions with these companies as a method to assist them to safeguard their users and strengthen their brand promise.
The EV certificate requirements were formed in 2007, and while there have been multiple upgrades, there have been no major changes until lately. It’s unusual for a security standard to remain basically intact for so long, especially when threats adapt. DigiCert recently released a series of enhancements to Extended Validation certificates. During a dinner discussion at one of the face-to-face CA/B Forum meetings, DigiCert and several other Certificate Authorities studied the list of enhancements and agreed on four standards that would have a beneficial influence on EV while also having a reasonable possibility of passing a CA/B Forum ballot. We agreed to debate four proposals in the forum:
- Before issuing certificates, require the CA to validate the certificate type in the CAA database and follow a CAA policy on the certificate type. This would necessitate the CA checking the CAA record before issuing a certificate, and if the requestor’s CAA record specified that they only wanted EV, the CA would be unable to issue any other type of certificate for that domain.
- Certificates should include Legal Entity Identifiers (LEIs). The Global Legal Entity Identifier Foundation generates LEIs, which are internationally unique registration numbers (GLEIF). They provide a highly potent form of identity for worldwide organizations when combined with EV certificates and may be verified on the GLEIF website.
- Create a white list of permitted data sources for EV certificate validation. CAs are now free to utilize any authentication source that meets the CA/B Forum standards. To increase confidence in the accuracy of the data, this proposal would identify and permit the use of only credible data sources that are uniform across all CAs.
- Before issuing an EV certificate, CAS should validate a registered trademark/wordmark, and certificates should include trademark and brand information (as well as the source of validation). Trademarks are globally distinct, recognized, distinguishable, and well-known. Customers perceive and comprehend them. CAS has the unique ability to authenticate trademarks and include them in an EV certificate. It is up to the user agent (i.e., browser) to determine whether to use this data; nevertheless, they should be able to rely on the data that the CA has validated.
- Create a white list of authorized data sources for validating Extended Validation certificates. Currently, CAs are free to use any authentication source that complies with the CA/B Forum criteria. Not all data sources are created equal. To increase confidence in the accuracy of the data, this proposal would identify and permit the use of only credible data sources that are uniform across all CAs.