3

With Let's Encrypt being the first CA to roll out ACME, setting up TLS on domains has become inexpensive, easy, and above all, automated.

Let's Encrypt has made it clear that EV is far from being an immediate goal of their organization, because of its requirement for human effort, which wouldn't be possible using their automated model -- but have any proposals come up over the years to either automate extended validation certificate signing, or to roll out alternatives to EV allowing for automation more easily?

Jules
  • 1,240
  • 1
  • 10
  • 20

3 Answers3

2

EV and normal certificate have a very different goal in mind. On the one hand, certificates are for everyone. Everyone can and should get a certificate for their domain the only requirement is to own the domain.

EV on the other hand is a real proof of identity, not just the domain but that this domain is indeed the domain of this company that your are indeed a representative of this company, etc. It doesn't verify just the domain ownership but the real physical identity. That's a higher level of identity verification and thus a higher level of trust and it obviously can't be automated. And even if it could it shouldn't, the human verification is exactly what makes it more valuable.

The point of let's encrypt is that it is easy to get, so that every single website on the internet get https.

The point of EV is that it is hard to get. So that phishing gets harder. You probably can get a certificate for a domain trying to imitate a well known domain but you can't get an EV certificate for such a domain, because no human would allow that.

So making EV certificate free and automated by bots is completely missing the point of EV and it would lower the trust we get in all other EV protected domains. There is no point in having EV, if everyone can get one for free automatically. The extra price and verification is what make EV... EV.

Matthieu
  • 316
  • 2
  • 10
1

Semi-automated, instant EV meeting the issuance criteria might be viable in jurisdictions like Estonia, where (i) the populace has smart cards and is able to make digital signatures with them, and (ii) there are (presumably) machine-readable statutory business registries that in principle ought to know who is authorised to make signatures on behalf of an organisation.

In theory the only intervention required, at least for renewal, would be for the domain registrant's representative to enter his/her PIN into a smartcard reader, with the card inserted, to sign the renewal authorisation.

sampablokuper
  • 1,961
  • 1
  • 19
  • 33
1

In general EV certificates or Extended Validation certificates aim at a thorough validation of the requester and the site to which the trust is being bound to. Making this process automated looses the value of the extended validation.

In general, cert and validation is for everyone. But this does not really justify the proof of identity or the organization’s validity. Issuing EV doesn’t just verify that the requester is the domain owner but also verifies the physical identity and thus the recording and logging process is more rigorous and through, making a direct implication that the trust that EV’s bring on the table are usually very high and if automated does loose a significant value.

On the contrary, with the increase in cyber security issues and major attacks due to weekend encryption streams, it becomes even more important to make sure that such trust measures are harder to get and difficult to break, which can happen with strict vigilance monitoring and logging. Several concepts have been introduced and followed by the Certificate Authority and Browsers Forum to make sure that the certificate issuance process is vetted and audited by various agencies.

D3X
  • 171
  • 6