Plans for Extended Validation?


#1

I know with the current state the certificates are going to be Domain Validated (DV). Are there any plans to offer Extended Validation (EV) certificates in the future?


Why should I use any other SSL certificates anymore?
Namecheap Response to Let's Encrypt
Extended Validation Certificates
#2

Continuing the discussion from Green Address bar:


#3

What about having some volunteers that would do that? They’d do it for free and maybe you guys could give them community service hours or something like that.


#4

But this can’t be done by everyone. I mean everyone is able to do it, but the person who does this is also responsible for this.
And from an outer perspective LE is responsible if there is an ‘mistake’ and it would be very bad if LE looses trust as this is the most important thing of CAs.
So basically LE also would have to trust everyone who does this so this can’t be people chosen randomly.


#5

I see now. Thank you!


#6

I assume that OV certificates won’t be issued for similar reasons.


Support for Organization Validation
#7

Yep, that is the case.


#8

I also would welcome “organisation validated” certificates - maybe this is the point where “Let’sEncrypt” could join forces with the already long-term existing “web-of-trust” managed by CACert.org ???


#9

@Schultz-IT-Solutions the main reason why LE is not supporting OV and EV is because the validation procedures are hard to automate.

For the sake of my curiosity, do you have any concrete proposal for how the various organization and business validations (that today involve several back and forth) could be automated and hence performed programmatically via API?


#10

I have an example for France.

La Poste (the national mail service) offer a service called “Lettre recommendée” id est, you send a mail (actual paper mail) to someone or some organization, and “La Poste” do not give the mail without a proof of identity (usually the national identity card or a passport). Wikipedia tell me that this is called a Registered mail in English.

You can imagine letsencrypt sending a token to someone using a “Lettre recommendée” (via “La Poste” API), delegating the proof of identity to “La Poste”. Then letsencryt get the token a couple of days later, it knowns that “La Poste” has check that the identity in the mail is correct. Letsencrypt just has to make people paid the cost of the “Lettre recommendé”, currently 5,64 €.

Of course, that suppose to trust “La Poste” for identity validation, and that may not be possible…

I don’t known, but, how are actual proof of identity made for OV and EV certificates ?

Édith; for the record, you can send “Lettre Recommendée” using this online form.


#11

@Nit , what you describe is an external process that requires manual intervention and it can’t be performed programmatically. That’s the issue.


#12

But the manual process is externalized, from Letsencrypt point of views it’s automatic:

  1. Send a token using the mail provider API.

  2. Get (or not) the token from the user later (with a time-out in weeks).

  3. identity is (or is not) validated.


#13

No, it’s not, because both the client and LE have to manually interact with an external process. Moreover, the OV and EV validations require specific check about company details, it’s not just a matter of sending out a token. If that would be the case, there would be no need for using a physical mailing service (in fact that’s what LE is doing today with the authorizations for the DV certificates).

In order to be evaluated, the entire process (from the client to the CA and them back to the client) should have no manual intervention. And what you described doesn’t match this criteria.


#14

Hello weppos,
CACert.org 's web of trust is a global network of persons who validated their identity against each other.
In this process, the so called “assurer” assures the validity of personal documents (passport, driving licence and likewise) of the assuree in “face to face meeting”. Once this process is done, the assurer enters the respective data into a web based form on the CACert.org website.
This means that from a CA point of view, this process is automated (or rather the manual process is “outsourced” to the community members.
This process (although there are “extra requirements” on both parties) also applies for the assurance of organisations.

If you like to know more, I am certain there are knowledgable people about CACert.org near to your physical location…


#15

Weppos - those company details may be available from government provided public data that could be fetched from an API.

Does anyone have an authoritative list of requirements for issuing an Extended Validation certificate? It might actually be possible to automate those tasks, at least within certain countries.


#16

That would be the EV Guidelines. But no, they require that multiple people are needed to validate and authorise EV cert issuance.


#17

Brushing off this old thread because I’m very interested in having LE generated OV certs.

weppos, what’s the issue with having a manual process that needs to be completed by the administrator, a paid trusted third party to handle that process, and then having an API between the third party and LE that allows them to confirm the OV or EV status of the requestor?

That way LE is still fully automated and free since the administrator is paying for the third party to validate them and confirm that validation with LE.


#18

I think this would be a big conceptual change for LE, not least because of the need to negotiate arrangements with the trusted third party (at a technical level, at a business level, and at a CA issuance policy level).

I can tell you that when we started talking about what became the ACME protocol several years ago, we did want to have extensibility in the technology to handle roughly this kind of case, but probably from a different CA rather than our own CA. I believe that extensibility is basically there in the ACME technology and I think the ACME WG and client implementers would be very interested in working with any existing CA to add some kind of flow for offline identity validation and issuance of a paid cert. Not only would we not oppose it but I think we would be eager to help make it happen.

But as I said, I think administratively it would be tricky for the Let’s Encrypt CA to do this—you know, it’s not just an API, but also a complex business relationship which LE in turn would have to satisfy auditors about—and it could be a distraction from LE’s own core activity of DV issuance.


#19

Hi @all, EV should be possible via payment APIs like of banks. Where you can fetch and compare automatically the Firstname / Lastname / Birthday or Company details.


#20

hi @CoreTex

I think you are missing the point. The problem is not technology it’s people power

Auditors want a human to review the process. What you are describing works for payment gateways as there are only a few suppliers of information (VISA, MASTERCARD, AMEX)

When you get to trying to validate business names and validity (tax records, company establishment documents) it becomes a very different beast as every country has it’s own processes, government teams etc

Quite often when dealing with EV teams at other CA’s there is a lot of going back and forwards before the EV certificate is registered. They need to establish the business is real, the people requesting the Certs are related to the business and the business is in good standing order.

Even if this could be automated with an API this would still have a cost (from the provider of the API). Which negates the whole point of a free certificate authority.

Andrei