When you set up a website, one of the most common add-ons you will need is an SSL security certificate. Let’s look at the top grade of this technology, EV SSL.
- What’s the CA/B Forum?
- What’s an EV SSL?
- How is your identity checked by the CA?
- EV requirements for a business applicant
- Weighing results vs. investment
Are you curious about what it means when you get a green color indicator in your browser’s address field? Let’s look at the technology that triggers the credibility and security feature, the extended-validation SSL.
What’s the CA/B Forum?
The Certification Authority Browser Forum, or CA/B Forum, is an association of companies and organizations that work together to develop best practices for the use of security certificates.
SSL certificates, or secure sockets layer certificates, are the most commonly accepted and widely used form of security certificates; hence, they are the forum’s main point of focus. The technology allows automatic https protocol for certain pages of your site to enable e-commerce, logins, and other exchange of confidential information.
What’s the role of the forum? This association really is a sort of “central command” for Internet security, simply because of its powerful members, which fall under three categories:
- Certification authorities (CAs) – Symantec, Comodo, GlobalSign, etc.
- Browser developers – Mozilla, Apple, Microsoft, Google, etc.
- Standards developing organizations – American Institute of CPAs, American Bar Association, etc.
Essentially, each entity provides expertise and concerns, while the results mean that browsers and CAs are all meeting the same baseline requirements in the treatment of the https protocol (via the certificates).
The stated mission of the group is to share and promote security standards so that certificates are better understood. The primary difference between different certificates is their level of validation – the extent to which site ownership is verified to add credibility to online transactions (along with the encryption function). The three types are domain-validation (or a DV certificate), organization-validation (an OV certificate), and extended-validation (an EV certificate).
What’s an EV SSL?
- According to the CA/B Forum, the two primary purposes of extended-validation certificates are to “identify the legal entity that controls a web site… and enable the encrypted communication of information over the Internet between the user of an Internet browser and a web site.”
By performing those two basic functions, the firm is able to accomplish secondary intentions as well. First, it enhances the credibility of the website owner – leading to fewer abandoned shopping carts and a lower bounce rate. Second, because of the technology’s standardization, the encryption component allows companies a shared framework with which to target malware, phishing, and other Internet ills.
- Other ways that the truly thorough validation process of these “green-bar” extended-validation certificates is valuable are:
- People aren’t able to easily use them in phishing attacks like they can with the cheaper domain-validated ones.
- This protection for companies means they can give their customers assurance, safeguarding them, which both means you build more confidence and don’t let someone else take their payment.
- They make it less complicated for police and related agencies to figure out the organizations behind online fraud.
How is your identity checked by the CA?
The certification authorities are the ones that actually put these standards into action, going through the validation procedure as designated by the CA/B Forum. Their objective is simply to determine that you are who you say you are. A certification authority is only able to grant the EV SSL to a private association, public-sector agency, for-profit company, or nonprofit that meets strict verification criteria.
The guidelines differ a bit based on type of organization. Let’s look at the ones that vet for-profit companies, since that is assumedly the most common type of applicant and is similar to the rules for other categories.
EV requirements for a business applicant
Referred to as “business entities” within the CA/B guidelines, here are the basic standards to allow companies to get EV SSLs:
- A company or division of a company qualifies for EV SSL ownership if it “is a legally recognized entity that filed certain forms with a Registration Agency in its jurisdiction, the Registration Agency issued or approved the entity’s charter, certificate, or license,” notes the CA/B Forum, “and the entity’s existence can be verified with that Registration Agency.”
- The company has to prove it is based in a specific physical location.
- The CA needs to confirm the identity of a person in an executive position (which the forum calls the “Principal Individual”) at the business.
- That person must sign a Subscriber Agreement with the CA.
- The CA is able to validate the doing-business-as (dba) name, if applicable.
- Neither the business nor the principal contact person are allowed to be based in a nation in which the certification authority is unable to legally sell the software.
- Finally, “[t]he entity and the identified Principal Individual associated with the entity [cannot be] listed on any government denial list or prohibited list (e.g., trade embargo) under the laws of the CA’s jurisdiction,” says the CA/B Forum.
How much “green” for the green bar? Results vs. investment
Are you looking for an SSL certificate to secure your transactions and earn the trust of your customers? In an official case study, WaterFilters.Net improved their conversion rate by 20% after adopting a GeoTrust® True BusinessID with Extended Validation (EV) SSL certificate. Get yours today.