Select The Best Level of Authentication For Your Web Site
Due to the prevalence of counterfeit web sites on the Internet, one of the key purposes of a SSL certificate is to help assure consumers that they are actually doing business with the web site they believe they are accessing. A SSL certificate provided by a trusted third-party authenticates the identity of a web site based on a validation process performed by the Certificate Authority (CA). However, there are several different levels of validation that back SSL certificates depending on the certificate and the CA.
The level of identity authentication assured by a CA is a significant differentiator between SSL certificates. The explosive growth of phishing and other fraudulent web sites designed to steal information from consumers has put a spotlight on the authentication strength of various SSL certificates and the authentication processes employed by different CAs. There are three commonly recognized categories of SSL authentication; Extended Validation (EV), organization authentication, and domain authentication.
Extended Validation Authentication
Extended Validation (EV) authentication is the highest level of authentication available with a SSL certificate. Any web site with an established brand reputation should consider the benefits of an SSL certificate with EV authentication. New, high-security browsers, such as Microsoft® Internet Explorer 7, identify these web sites as authenticated by prominently displaying a green address bar and security status bar with the name of the verified organization that owns the web site. These certificates are by far the most noticeable forms of identity authentication based on SSL technology by consumers.
The CA/Browser Forum, a consortium of certificate authorities and browser manufacturers, developed this category of web site authentication as an industry-wide standard. In order to be authorized to issue EV SSL certificates, a CA must pass regular third-party audits confirming that it meets the requirements set out in this standard for validating the identity of certificate requesters.More information on the CA/Browser Forum and the EV standard
Getting an EV Authenticated Certificate
Some certificate authorities require a signed acknowledgement of agreement from the corporate contact listed on any order for an EV SSL certificate. A company registration document may also be required if we are unable to confirm the organization’s details through a government database. A legal opinion letter may also be requested to confirm the following details about the organization applying for the Extended Validation SSL certificate:
- Physical address of place of operation
- Telephone number
- Confirmation of exclusive right to use the domain
- Additional confirmation of the organization’s existence (if less than 3 years old), and
- Verification of the corporate contact’s employment.
These are the standard methods of identity verification used to validate organizations for EV SSL certificates. However, documentation requirements may vary depending on the information available on various approved online databases.
Organization authentication, also known as business identity authentication, is a high assurance level of authentication.
SSL certificates with this level of authentication require verification of an organization’s existence through a government issued business credential. Usually, the certificate authority will get this independent verification by searching one of many government or private databases to which they have access. If we cannot find “proof of right” to do business in the stated name for a certificate requester, we may request a copy of one of the following items:
- Articles of Incorporation
- Business License
- Certificate of Formation
- Doing Business As
- Registration of Trade Name
- Charter Documents
- Partnership Papers
- Fictitious Name Statement
- Vendor/Reseller/Merchant License
- Merchant certificate
- US Tax Licenses for non-profit organizations and sole proprietorships (in either case the state tax documents must list the organization as non-profit or sole proprietor)
The Organization named in the certificate requester’s Distinguished Name (CSR) must reflect the full legal name of their business. If the official name of the business as listed in one of the above sources of business credentials does not match the Distinguished Name; we will not be able to accept it. Suffixes such as “Inc, LLC, or LP” can be disregarded.
For example: "Dina's Cafe" may be used to authenticate "Dina's Cafe Inc." However, "Dina's Cafe" may not be used to authenticate "Dina's Cafe and Gift Shop Inc." In addition to the business credential verification, every certificate order goes through domain name verification. The organization ordering the SSL certificate must own their web site domain name or have proof that they have the legal right to use that domain name. We also verify that the organizational contact applying for the certificate on behalf of the company or organization is an employee of that organization.
Domain authenticated certificates are the lowest form of authentication available. An entity requesting a domain authenticated certificate will go through a process to help verify that they either own the domain requested or that they have the right to use that domain name. Additionally we will verify that the email address for the contact requesting the certificate is either listed in the WHOIS directory or meets the CA's predetermined email alias requirements.