33

This is a very good link that explains the different types of SSL certificates and level of trust provided by them. An Extended Validation (EV) certificate it is easily identified by the green color in the address bar and the name of the organization highlighted.

enter image description here

But what about the Domain Validation and Organization Validation certificates. Obviously the latter provides a better level of trust. So the question is how does the end user find out what kind of certificate the site is using. I tried viewing the certificate in the browser (firefox) but could not find anything relevant.

p.s. I searched more over the internet and even the answer by Tidalwave points out that there is no real way for a user to find out. So this means that for the end user there are only two types of certs EVSSL and non-EVSSL Doesn't this defeat the whole purpose of having DV and OV?

Shurmajee
  • 7,335
  • 5
  • 28
  • 59
  • 4
    Well I'd say 90% of the "purpose of having OV" is that it's a technique to make people who are willing to pay more pay more and people who are not willing to pay more pay less but still pay. Every "purpose" a commercial organization has is to earn money. There's a related article here: "*[How much should I charge for my software?](http://www.joelonsoftware.com/articles/CamelsandRubberDuckies.html)*" – Pacerier Apr 12 '16 at 13:16
  • 1
    @Pacerier hilarious commentary...but the question is about the purpose _to buying one_....we can all see the purpose to _selling_ one.....but the question is, what "trust" is provided? Is there an *advantage* that I'm paying the extra for with OV? – JamesTheAwesomeDude Sep 25 '18 at 19:55
  • 2020 update: EV certificates no longer show a green location-bar. https://www.reddit.com/r/sysadmin/comments/9ihujz/chrome_no_longer_displays_ev_https_in_green/ – Sire May 12 '20 at 10:01

4 Answers4

21

There is no difference between DV and OF in the browser's identity field. The screenshot below shows this field for Chrome, Firefox and MSIE. For both DV and OV, only the URL (no company name) show in the identity field.

When the site has EV, the company name is displayed along with the URL. Chrome and MSIE use green background to the company name, while Firefox will use green text for the company name.

enter image description here

However, if you look at the certificate itself, you will see the difference.

The two screendumps below are both from the Firefox certificate viewer.

The screendump below is from a site with only Domain Validation (DV). As you can see, there is no information about the organization in the certificate.

enter image description here

The next screendump is from a site with Organization Validation (OV). Here you can see the name of organization that own the domain.

enter image description here

You will also find the name of the organization of a site with Extended Validation (EV). The difference between OV and EV is that the company name is displayed in the browser's identity field if the site has an EV certificate, but not if it has a OV certificate.

Another way to tell DV and OV certificates apart is to inspect the numeric policy identifier (appears under the certificate's "Details"-tab if present). Please note that this identifier is not adopted by all CAs. Values used for the policy identifier are show below:

DV 2.23.140.1.2.1
OV 2.23.140.1.2.2
Free Radical
  • 754
  • 5
  • 14
14

Why would you think that you can trust companies officially registered in some countries more than you can trust registered domains hosted in any?

EV has obvious advantage with stricter validation, differences in trustworthiness between the other two however are rather moot. Browser vendors supporting EV simply didn't feel the need to agree on a separate visual identification of the other two (OV, DV) verification models, as neither provide a clear advantage one over the other (if any at all).

In short, none of the major browser vendors felt the need or want to differentiate between the two and stand behind it with their name. Good that they didn't, too. If companies can withstand scrutiny EV brings, then no one is stopping them to apply for such certificate. On the other hand, there are clearly also needs for cheaper certificates where additional verification wouldn't fit within their price range. Browser vendors (and user interfaces of some other software vendors) with EV support however don't stand by these cheaper certificates in any other special way than what is already there as per usual, for reasons mentioned before.

As for the other part of your question (visual inspection of certificate data), OV and DV would differ in their description where OV usually holds more data about the company it was issued for, but that's about it. This additional information display can vary across different clients, tho. That image you're attaching is however from Wikipedia, and you didn't mention what browser you were inspecting detailed certificate information in, so I can't say what differences you'd be able to see in an unknown browser.

Extended Validation Certificate display in Mozilla Firefox.

Example of Extended Validation certificate in Mozilla Firefox (above).

EDIT: DV certificate contains no identifying information in the organization name field. Typically, this value just re-states the domain name or simply says "Persona Not Validated", "(unknown)" et cetera. This is not standard for all CAs tho. Another way would be to inspect policy identifier (if present) where 2.23.140.1.2.1 stands for DV, and 2.23.140.1.2.2 for OV. Again, this is not adopted by all CAs. In short, there is no deterministic way to tell if a certificate was Domain or Organization Validated.

Domain Validated Certificate display in Mozilla Firefox.

Example of Domain Validated certificate in Mozilla Firefox (above). Notice the lack of meaningful data in the organisation information field.

TildalWave
  • 10,801
  • 11
  • 46
  • 85
  • 3
    you have a point but if it is not helping the end user's trust then what is the point of having these two types of certificates – Shurmajee May 01 '13 at 06:04
  • @MayankSharma - There is still a substantial difference in the validation process between the two which is _supposed to_ facilitate end user trust of OV > DV. I'm just saying that this _might_ (in some cases, not all or even majority) be a bit moot and should be up to end users themselves to decide on which to trust more, not browser vendors to suggest this by means of visual notification. Certification facilitates this trust to a varying degree in case of DV and OV, and less so in case of EV, which is its main selling point. The rest is politics and not for me to judge. – TildalWave May 01 '13 at 12:28
  • 3
    But that is the question..how does the user find out the kind of certificate a site is using? – Shurmajee May 01 '13 at 16:00
  • 3
    DV certificate contains no identifying information in the organization name field. Typically, this value just re-states the domain name or simply says "Persona Not Validated". This is not standard for all CAs tho. Another way would be to inspect policy identifier (if present) where 2.23.140.1.2.1 stands for DV, and 2.23.140.1.2.2 for OV. Again, this is not adopted by all CAs. In short, there is no deterministic way to tell if a certificate was Domain or Organization Validated. I guess in Firefox, you would see meaningful data under `which is run by` for OV, and none or generic for DV. – TildalWave May 01 '13 at 16:39
  • "Why would you think that you can trust companies officially registered in some countries more than you can trust registered domains hosted in any?" OV and EV certificate ties a legal entity with a domain name. If you don't know the domain name of a company and found a site claiming to be the company from some random search, an OV/EV certificate gives you assurance that www.somerandom.com is operated by the company that is specified in the Organisation field, and that means you can trust that domain if you trust that company in real life. DV cert cannot transfer trust like that. – Lie Ryan Jul 15 '20 at 05:17
4

The extensions and OIDs in question can be read with a run of command-line openssl x509 -noout -text -in <cert.file>.

When doing that regularly, you may want to be exact. Here is a snippet from my own Python 3 certificate helper tool:

known_policies = {
        '2.23.140.1.2.1': 'DV',
        '2.23.140.1.2.2': 'OV',
        '2.23.140.1.1':   'EV'
}
policy_re = re.compile(r'.*(2\.23\.140\.1\.[.0-9]+)', re.DOTALL)
ext = x509.get_extension(idx)
if ext.get_short_name().decode('ascii') != 'certificatePolicies':
    # Other type of extension, not interested in that
    continue

policy_match = policy_re.match(str(ext))
if not policy_match:
    # Doesn't seem to contain valid policy information
    continue

policy_oid = policy_match.group(1)
type = known_policies[policy_oid]

The general idea is to use Python's OpenSSL library to read and load a X.509 certificate. Then iterate its extensions while looking for a certificatePolicies-extension. The expected normal condition is, that there is one of the hard-coded OIDs in extension data.

Jari Turkia
  • 246
  • 2
  • 4
0
For Digicert
2.16.840.1.114412.2.1 - EV
2.16.840.1.114412.1.1 - OV

But given that browsers are no longer providing special visual indicators for EVs, we're moving from the more expensive EVs to OVs anytime an EV cert expires.

schroeder
  • 125,553
  • 55
  • 289
  • 326