Adding Ownership Information?

Well, there are 3-5 major web browsers depending on how you count, and Firefox is just one. As I understand it, the story goes roughly like this. OV certificates existed (though without anyone formally recognising them as a category) from the outset of the Web PKI in the mid-1990s when Netscape invents SSL. At first there was no DV. All certificates were as expensive and difficult to get as EV certificates are today, with manual steps involved. Certificate Authorities declared "Classes" of certificate, with the more expensive classes being "better". But there was no indication of class in browsers and each CA set its own rules. The X.500 Distinguished Names were inconsistently filled out, mostly by signing whatever was in the CSR. With no formal standards and precious little enforcement from Netscape or Microsoft, a race to the bottom began, as companies which secured themselves a place as trusted roots in the major browsers began to offer "Domain Verified" certificates for less money. The means of verification were largely hand-rolled (some big CAs have patents you read about how they "verified" domains). Generally the indication that this far inferior verification had happened was in some human readable text in the certificate, for example OU=Domain Verified, or even OU=Verified by Name-of-CA O=Name-of-CA and CN=domain.example. If you paid more money, you could fill out more fields and they might do some rudimentary checking of the values in those fields, depending on how much money you'd paid and the "class" of certificate.

One problem with a race to the bottom (if you're a commercial outfit) is that prices hit zero and then income hits zero and then you go out of business. But perhaps just as important, quality also diminishes to hit the reduced price point. Should a person be able to get an SSL certificate for hotmail.com by asking Hotmail for the email address systemadm@hotmail.com and then just filling that out in a web form and clicking the resulting email link? Erk. Trust in the system dimished, and some backlash began to hit the browser vendors who'd selected these CAs to trust.

So, browser vendors were sick of DV, and public CAs were sick of DV but for different reasons. The CAs thought the best way forward was to have a new kind of "really, really trusted" certificate (for which they'd charge a lot of money), EV but keeping all the old ones. The browser vendors thought the CAs should apply all their proposed new rules for EV to their existing certificates and stop the race to the bottom. The CA/Browser forum is the incarnation of that ongoing discussion, and the results are the compromise we all experience day-to-day. EV certificates have that "green bar" that CAs believed would help sell them, OV, DV (and IV and others) were standardised, with a policy OID to tell browsers programatically what sort of verification was done. The rules for EV are tighter than they ever had been for older certificates, but the rules for all other certificates were also tightened up gradually.

But CA/B has no formal legal status, and all browser vendors actually implement their own rules, albeit referring to the CA/B Baseline Requirements and EV Guidelines. So, Chrome on Android doesn't have a green bar, and Firefox doesn't consider OV certificates different from DV certificates and Internet Explorer / Edge ignore all policy OIDs except the ones from the CA/B but other browsers accept custom OIDs, and so on.

5 Likes