Extended Validation Certificate

An Extended Validation Certificate (EV) is a certificate used for HTTPS websites and software that proves the legal entity controlling the website or software package. Obtaining an EV certificate requires verification of the requesting entity's identity by a certificate authority (CA). The introduction … of so-called high-assurance or extended validation (EV) certificates that allow CAs to charge more for them than standard ones, is simply a case of rounding up twice the usual number of suspects—presumably somebody’s going to be impressed by it, but the effect on phishing is minimal since it is not fixing any problem that the phishers are exploiting. Indeed, cynics would say that this was exactly the problem that certificates and CAs were supposed to solve in the first place, and that “high-assurance” certificates are just a way of charging a second time for an existing service. A few years ago certificates still cost several hundred dollars, but now that the shifting baseline of certificate prices and quality has moved to the point where they can be obtained for $9.95 (or even for nothing at all) the big commercial CAs have had to reinvent themselves by defining a new standard and convincing the market to go back to the prices paid in the good old days. An Extended Validation Certificate (EV) is a certificate used for HTTPS websites and software that proves the legal entity controlling the website or software package. Obtaining an EV certificate requires verification of the requesting entity's identity by a certificate authority (CA). Some web browsers show the verified legal identity in their user interface, either before, or instead of, the domain name. Mobile browsers typically do not show any difference for EV certified websites and, on the desktop, this behaviour has been phased out in recent versions of popular browsers (for example, the Safari browser for Apple's macOS Mojave). Of the ten most popular websites online, none use EV certificates and the trend is away from their usage. For software, the verified legal identity is displayed to the user by the operating system (e.g., Microsoft Windows) before proceeding with the installation. EV certificates use the same encryption as organization-validated certificates and domain-validated certificates: the increase in security is due to the identity validation process, which is indicated within the certificate by the policy identifier. The criteria for issuing EV certificates are defined by the Guidelines for Extended Validation promulgated by the CA/Browser Forum, a voluntary organization whose members include leading CAs and vendors of Internet software as well as representatives from the legal and audit professions.