EV (Extended Validation) SSL Certificates were introduced in 2007 to combat emerging online threats that could erode trust online. Specifically, these certificates will provide a new way for merchants to prove that their site has been verified as an authenticated business. Extended Validation Certificates are designed to provide visitors with the green "good to go" browser indicator when visitors go to a secure page.
Microsoft IE address bar for a site with an EV SSL (showing the identity of the site from the SSL Certificate)
*phishing filter needs to be turned on
Mozilla Firefox address bar for a site with an EV SSL
Opera address bar for a site with an EV SSL
In web browsers such as IE, Firefox or Opera, an EV SSL Certificate will turn your customer's address bar green and display the name of your business next to your web address.
Next generation browsers such as Internet Explorer, Opera and Firefox have integrated new displays in order to provide consumer's with a visual indicator of a website's security. The address bar of these browsers turn green whenever a customer visits a website secured with an Extended Validation SSL Certificate.
The EV SSL Certificate Validation Process
The EV SSL Certificate vetting process will validate the requestor's domain control and verify the requesting entity's legal existence and identity. The EV SSL validation process is the most extensive and rigorous in the Industry. This process ensures that the green trust indicator will only be awarded to trustworthy and non-fraudulent websites.
Unlike other validation processes in the SSL industry, a certification authority issuing EV SSL Certificates cannot rely on any kind of self-reported data (such as address and phone numbers) during the validation process. This means that all data provided by a company hoping to obtain an EV SSL Certificate will be checked against reliable third-party sources.
Before an EV SSL certificate can be issued, three important steps need to be performed by the EV SSL Certificate vendor. The steps are:
- Confirm the existence of the Company through 3rd party sources
- Verify that the request has been made on behalf of the company
- Obtain mutual confirmation of the request between the Certificate Authority and the requesting party
Typically this is a contract that will be sent at the end of the validation process to the requesting party. The contract must be signed by an authorized person.
For all three steps listed above, special guidelines outline in detail what background checks should be performed by all Certificate Authorities issuing EV SSL Certificates.
A customer wishing to obtain an EV SSL Certificate must own and control the domain name that will utilize the EV SSL Certificate. A Certificate Authority will check website registration records (Whois database) or may ask the customer to make a change to the website under the domain name.
The Certification Authority must verify that the individual requesting the certificate is acting as a legitimate agent for the requesting company.
One way that a Certificate Authority may verify this data is by contacting the requesting company's human resource department.
The Certificate Authority will also verify the identity of the contract signer (in most cases this will be a C level management person). Usually this is verified with written documentation.
Legal existence and identity
A Certificate Authority will check to make sure that the business is legally recognized and that the formal name matches the official Government records. In cases where a trading name is used, the Certificate Authority must verify any alternative names that differ from the legal name of the customer in qualified databases.
The Certification Authority is required to cross-check the address listed in the certificate application against a qualified government database.
If the listed address cannot be verified by consulting the government database, an on-site visit may be necessary to investigate the discrepancy. Investigators may need to take photos of business operations or speak with company personal.
The Certificate Authority will confirm that the telephone number listed on the certificate application is the primary telephone number for the requesting organization. This is accomplished by calling the number directly or by checking phone directory listings.