How does an end user differentiate between OV and DV certificates?

Question

This is a very good link that explains the different types of SSL certificates and level of trust provided by them. An Extended Validation (EV) certificate it is easily identified by the green color in the address bar and the name of the organization highlighted.

But what about the Domain Validation and Organization Validation certificates. Obviously the latter provides a better level of trust. So the question is how does the end user find out what kind of certificate the site is using. I tried viewing the certificate in the browser (firefox) but could not find anything relevant.

p.s. I searched more over the internet and even the answer by Tidalwave points out that there is no real way for a user to find out. So this means that for the end user there are only two types of certs EVSSL and non-EVSSL Doesn't this defeat the whole purpose of having DV and OV?

Answer 1

There is no difference between DV and OF in the browser's identity field. The screenshot below shows this field for Chrome, Firefox and MSIE. For both DV and OV, only the URL (no company name) show in the identity field.

When the site has EV, the company name is displayed along with the URL. Chrome and MSIE use green background to the company name, while Firefox will use green text for the company name.

However, if you look at the certificate itself, you will see the difference.

The two screendumps below are both from the Firefox certificate viewer.

The screendump below is from a site with only Domain Validation (DV). As you can see, there is no information about the organization in the certificate.

The next screendump is from a site with Organization Validation (OV). Here you can see the name of organization that own the domain.

You will also find the name of the organization of a site with Extended Validation (EV). The difference between OV and EV is that the company name is displayed in the browser's identity field if the site has an EV certificate, but not if it has a OV certificate.

Another way to tell DV and OV certificates apart is to inspect the numeric policy identifier (appears under the certificate's "Details"-tab if present). Please note that this identifier is not adopted by all CAs. Values used for the policy identifier are show below:

DV 2.23.140.1.2.1
OV 2.23.140.1.2.2

Answer 2

Why would you think that you can trust companies officially registered in some countries more than you can trust registered domains hosted in any?

EV has obvious advantage with stricter validation, differences in trustworthiness between the other two however are rather moot. Browser vendors supporting EV simply didn't feel the need to agree on a separate visual identification of the other two (OV, DV) verification models, as neither provide a clear advantage one over the other (if any at all).

In short, none of the major browser vendors felt the need or want to differentiate between the two and stand behind it with their name. Good that they didn't, too. If companies can withstand scrutiny EV brings, then no one is stopping them to apply for such certificate. On the other hand, there are clearly also needs for cheaper certificates where additional verification wouldn't fit within their price range. Browser vendors (and user interfaces of some other software vendors) with EV support however don't stand by these cheaper certificates in any other special way than what is already there as per usual, for reasons mentioned before.

As for the other part of your question (visual inspection of certificate data), OV and DV would differ in their description where OV usually holds more data about the company it was issued for, but that's about it. This additional information display can vary across different clients, tho. That image you're attaching is however from Wikipedia, and you didn't mention what browser you were inspecting detailed certificate information in, so I can't say what differences you'd be able to see in an unknown browser.

^{Example of Extended Validation certificate in Mozilla Firefox (above).}

EDIT: DV certificate contains no identifying information in the organization name field. Typically, this value just re-states the domain name or simply says "Persona Not Validated", "(unknown)" et cetera. This is not standard for all CAs tho. Another way would be to inspect policy identifier (if present) where 2.23.140.1.2.1 stands for DV, and 2.23.140.1.2.2 for OV. Again, this is not adopted by all CAs. In short, there is no deterministic way to tell if a certificate was Domain or Organization Validated.

^{Example of Domain Validated certificate in Mozilla Firefox (above). Notice the lack of meaningful data in the organisation information field.}

Answer 3

The extensions and OIDs in question can be read with a run of command-line openssl x509 -noout -text -in <cert.file>.

When doing that regularly, you may want to be exact. Here is a snippet from my own Python 3 certificate helper tool:

known_policies = {
        '2.23.140.1.2.1': 'DV',
        '2.23.140.1.2.2': 'OV',
        '2.23.140.1.1':   'EV'
}
policy_re = re.compile(r'.*(2\.23\.140\.1\.[.0-9]+)', re.DOTALL)
ext = x509.get_extension(idx)
if ext.get_short_name().decode('ascii') != 'certificatePolicies':
    # Other type of extension, not interested in that
    continue

policy_match = policy_re.match(str(ext))
if not policy_match:
    # Doesn't seem to contain valid policy information
    continue

policy_oid = policy_match.group(1)
type = known_policies[policy_oid]

The general idea is to use Python's OpenSSL library to read and load a X.509 certificate. Then iterate its extensions while looking for a certificatePolicies-extension. The expected normal condition is, that there is one of the hard-coded OIDs in extension data.

Answer 4

For Digicert
2.16.840.1.114412.2.1 - EV
2.16.840.1.114412.1.1 - OV

But given that browsers are no longer providing special visual indicators for EVs, we're moving from the more expensive EVs to OVs anytime an EV cert expires.