Namecheap Response to Let's Encrypt

IMHO, OV and DV certificates have equal value. The extra validation required for OV certificates makes no difference because the average website visitor can’t tell the difference between OV and DV certificates.

You literally need to read the baseline requirements from the CA Browser Forum to figure out the difference.

Firefox, Chrome, IE, and Edge all have identical displays for OV and DV certificates. AFAIK, the only way to tell the difference is to open the certificate and look at it. Then you can use these simple (/s) rules:

  • If the organization name is NOT set, it’s a DV certificate. Firefox is the easiest browser to check this with by clicking the padlock, clicking the right arrow, clicking ‘more information’, clicking ‘view certificate’, and looking at the ‘Organization (O)’ property. In Chrome you can click padlock, click the ‘valid’ link, click the ‘details’ tab, select the ‘subject’ field, and look for the ‘O=’ property.

  • If the organization name IS set, it can be either an OV or an IV certificate, so you need to check the certificate policies to tell the difference.

  • The certificate will have a policy identifier indicating the validation type:

    • 2.23.140.1.2.1 = DV
    • 2.23.140.1.2.2 = OV
    • 2.23.140.1.2.3 = IV

How many blogs have you read that claim there are 3 types of validation even though there are actually 4 (DV, OV, IV, EV)?

So, if your site visitors:

  • Click the padlock.
  • Open the certificate.
  • Navigate to the details panel.
  • Navigate to the certificate policies.
  • Know that a certificate with a policy identifier of 2.23.140.1.2.2 is organization validated.
  • Understand the differences in validation requirements between DV, OV, IV, and EV.
  • Are only willing to use your site if it’s got an OV certificate instead of a DV certificate.

Then an OV certificate might have value over a DV certificate. I say might because it takes 4 clicks into the certificate every time you visit a site to check the subject’s organization name or the certificate’s policies to guaranteed it’s not a mis-issued DV certificate.

You could also rely on visitors knowing that some certificate authorities only issue OV and EV certificates, but I doubt many non-technical people know any certificate authorities, let alone their policies on issuing certificates.

And, none of that even gets onto the topic of competence. Buying an OV or even an EV certificate doesn’t auto-magically make you competent.

TLDR; No one can tell the difference between DV and OV and, even if they can, identity validation doesn’t improve technical competency, so it’s possible for a DV site to be (technically) more trustworthy than an OV (or even an EV) site.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.