The main purpose of website certificates is to ensure confidential communication between a website and its users. In their basic form certificates are bound to one or more specific domains over which the provider has documented control. So the server is effectively authenticated to users in terms of a domain name. Recently the provision of such basic domain validation certificates has become fully automated and is offered for free by several issuers.
A problem that has not been solved, however, is the mostly weak identity proofing of domain registrants and operators. To enable businesses to authenticate themselves to their users in terms of their legal identity, some certificate authorities started to offer identity verification as an additional service to their customers.
This verification of the relationship between a domain and a legal entity is principally unrelated to the purpose of domain validation certificates. Nevertheless, the result of this identity verification effort was baked into the certificate offering, referring to simple “organization validation” (OV) and stricter “enhanced validation” (EV) certificates. Unfortunately this conflation with the basic certificate purpose effectively created a mostly useless dead end for identity verification, rather than opening a path for using the identity verification as a basis for further discovery of trust elements and services offered.
The attached article summarizes the criticism and challenges that has led to the demise EV certificates currently face – and outlines a promising, flexible and even backwards compatible alternative.
2020-05-04: Significant update of the attached PDF document
Bilag | Størrelse |
---|---|
trust_beyond_ev_certificates_v_0_98.pdf | 1.79 MB |