What is the impact of certificate validation level (or class) on deployed web applications?

Question

Certificates can have a class level (or validation level). What is the impact of these levels on deployed web applications?

More specifically:

1. Is the certificate level included in the certificate itself?

2. Can a level 1 certificate be used to deploy a web application including a paid service?

3. Do pop-ups appear on the user side if a website's certificate is too low? If yes, at which level?

Thanks.

Answer 1

1. The certificate level usually can be seen in the certificate (e.g., StartCom free certificates have OU=StartCom Free Certificate Member, O=Persona Not Validated in the subject DN — apparently not anymore (see below), and separate intermediate CA certificates are used for different levels). But at least in Firefox this information is not easily available in the browser UI (you need to get to the certificate properties window with lots of technical information to see it); only EV certificates are clearly indicated, and everything below EV is basically treated the same.

   CA/Browser Forum Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates (version 1.0 adopted on 22 Nov. 2011 with an Effective Date of 1 July 2012) specify two Certificate Policy identifiers which could optionally be used by CAs to assert the identity validation level:

   • 2.23.140.1.2.1 — only a domain validation was performed;
   • 2.23.140.1.2.2 — the subject identity was validated before issuing the certificate.

   At least StartCom now uses 2.23.140.1.2.1 in newly issued Class 1 certificates, and no longer includes a human-readable OU=StartCom Free Certificate Member, O=Persona Not Validated in the subject DN. However, browsers currently do not seem to pay attention to these policy OIDs when displaying the certificate information (e.g., the Mozilla bug #740571 is still open).

2. Using level 1 certificates for commercial purpose may be against the CA policy. The CA may refuse to issue the certificate if the domain name obviously suggests commercial use, or revoke the certificate later for violating the policy.

3. If a certificate is valid (not expired, the corresponding root certificate is trusted, there are no problems in verifying the trust chain, and revocation checks pass successfully), there will be no warning pop-ups irrespective of the certificate validation level.