|
| ▲ | Uvix 14 hours ago | parent | next [-] |
| Depends on the registrar. Globalsign required the phone number to be one publicly listed for the company in some business registry (I forget exactly which one), so it had to be someone in our main corporate office who'd deal with them on the phone. |
| |
| ▲ | bangaladore 14 hours ago | parent | next [-] | | For an online business in a dubious (but legal) domain, my co-owner spent a few hundred bucks registering a business in New Mexico with a registered agent to get an EV cert. So, a barrier to entry, but not much of one. | | |
| ▲ | invokestatic 10 hours ago | parent [-] | | I have an almost identical story except the state in question was Nevada. I’m curious what “dubious” domain it was, for me it was video game cheats. Maybe I’m actually the co-owner you’re talking about. :) | | |
| |
| ▲ | progmetaldev 10 hours ago | parent | prev [-] | | Dun and Bradstreet (?). I believe I'm remembering this correctly. I still deal with a few financial institutions that insist on using an EV SSL certificate on their websites. I may be wrong, but I believe that having an EV SSL gives a larger insurance dollar amount should the security be compromised from the EV certificate (although I imagine it would be nearly impossible to prove). When I last reissued an EV SSL (recently), I had to create a CNAME record to prove domain ownership, as well as provide the financial institution's CEO's information which they matched up with Dun & Bradstreet and called to confirm. The entire process took about three days to complete. | | |
| ▲ | pests 9 hours ago | parent [-] | | Still required for Apple Dev account last time I had to go through the process a few years ago |
|
|
|
| ▲ | wnevets 14 hours ago | parent | prev | next [-] |
| > In addition to all of the authentication steps CAs take for DV and OV certificates, EV certificates require vetting of the business organization’s operational existence, physical address and a telephone call to verify the employment status of the requestor. [1] [1] https://www.digicert.com/difference-between-dv-ov-and-ev-ssl... Tying a phone number to a physical address and company is a lot more useful than just proof of control over a domain. Of course its not 100% fool proof and depends on the quality of the CA but still very useful. |
| |
| ▲ | matrss 14 hours ago | parent | next [-] | | > Tying a phone number to a physical address and company is a lot more useful than just proof of control over a domain. It might be useful in some cases, but it is never any more secure than domain validation. Which is why browsers don't treat it in a special way anymore, but if you want you can still get EV certificates. | |
| ▲ | monerozcash 13 hours ago | parent | prev [-] | | It was easy to provide the information for an existing business you're completely unrelated to. Reliably verifying that a person actually represents a company isn't possible in most of the world. | | |
| ▲ | fpoling 13 hours ago | parent [-] | | Many countries has official register of companies with at least post box address. Requiring to answer a physical letter sent to an address from the central register will be much more reliable. | | |
| ▲ | monerozcash 12 hours ago | parent [-] | | Sure, and then someone just registers a company with the exact same name in another jurisdiction and EV is thwarted anyway |
|
|
|
|
| ▲ | AlbinoDrought 12 hours ago | parent | prev | next [-] |
| I'd love a referral to your certificate authority and rep - we go through a big kerfluffle each renewal period, only eventually receiving the certificate after a long exchange of government docs and CPA letters. For us, only the last step is the phonecall like you say. |
| |
| ▲ | wnevets 12 hours ago | parent [-] | | The replies to my original comment make it obvious who has gotten an EV cert from a quality CA before and who hasn't. | | |
| ▲ | BHSPitMonkey 11 hours ago | parent [-] | | This exchange seemingly proves the argument that user trust gained from the EV treatment is misplaced, and that the endeavor was a farce all along. It's not as though the user's browser was distinguishing the good CAs from the bad! | | |
| ▲ | wnevets 10 hours ago | parent [-] | | I disagree. I specifically said in my original comment they were very useful for those that knew what EV certs were and EV certs weren't. You may not know that Digicert is a quality CA who wasn't going to risk their position as a CA to sign an EV cert for a typo squatting phishing site pretending to be PayPal but there are those who do. The green UI in chrome & firefox made finding all of this information out incredibly simple and obvious. |
|
|
|
|
| ▲ | brians 13 hours ago | parent | prev | next [-] |
| Having run an EV issuing practice… they were required to contact you at a D&B listed number or address. |
|
| ▲ | realityking 14 hours ago | parent | prev [-] |
| EV certs also showed the legal name of the company that requested the certificate - that was an advantage. |
| |
| ▲ | duskwuff 13 hours ago | parent | next [-] | | Which would have made sense if company names were unique - which they aren't. See e.g. https://groups.google.com/g/mozilla.dev.security.policy/c/Nj... for an example of how this was abused. | | |
| ▲ | wbl 11 hours ago | parent [-] | | It was used correctly. What CAs wanted to sell wasn't something browsers wanted to support, and EV was the compromise. It just happens that what EV meant wasn't that useful irl. | | |
| ▲ | crote 11 hours ago | parent [-] | | What's the alternative, showing the company's unique registration ID? CAs invented EVs because the wanted to sell something which could make them more money than DVs. The fact that company names aren't unique means that the whole concept was fundamentally flawed from the start: there is no identifier which is both human-readable and guaranteed to uniquely identify an entity. They wanted to sell something which can't exist. The closest thing we have got is... domain names. | | |
| ▲ | duskwuff 8 hours ago | parent [-] | | The alternative would have been to have the CA use human judgement when approving EV certificates and reject applications from organizations whose names shadowed better-known firms, or to only accept applications from a select set of organizations (like, say, banks). But either of those possibilities would have increased the cost of the program and limited the pool of applicants, so CAs chose the cheap, easy path which led to EV certificates becoming meaningless. |
|
|
| |
| ▲ | crote 11 hours ago | parent | prev [-] | | The problem is that people wrongly believe that company names are unique. In reality you're just some paperwork and a token registration fee away from a name clash. If anything, it's a disadvantage. People are going to be less cautious about things like the website's domain name if they see a familiar-sounding company name in that green bar. "stripe-payment.com" instead of "stripe.com"? Well, the EV says "Stripe, Inc.", so surely you're on the right website and it is totally safe to enter your credentials... | | |
| ▲ | dismantlethesun 9 hours ago | parent [-] | | In many countries, company names are unique to that country. And combined with country TLDs controlled by the nation-state itself, it'd be possible for at least barclays.co.uk to be provably owned by the UK bank itself when a EV cert is presented by the domain. In the US though, every state has it's own registry, and names overlap without the power of trademark protection applying to markets your company is not in. |
|
|
