I know with the current state the certificates are going to be Domain Validated (DV). Are there any plans to offer Extended Validation (EV) certificates in the future?
1 Like
Continuing the discussion from Green Address bar:
2 Likes
What about having some volunteers that would do that? Theyâd do it for free and maybe you guys could give them community service hours or something like that.
But this canât be done by everyone. I mean everyone is able to do it, but the person who does this is also responsible for this.
And from an outer perspective LE is responsible if there is an âmistakeâ and it would be very bad if LE looses trust as this is the most important thing of CAs.
So basically LE also would have to trust everyone who does this so this canât be people chosen randomly.
5 Likes
I see now. Thank you!
I assume that OV certificates wonât be issued for similar reasons.
Yep, that is the case.
I also would welcome âorganisation validatedâ certificates - maybe this is the point where âLetâsEncryptâ could join forces with the already long-term existing âweb-of-trustâ managed by CACert.org ???
@Schultz-IT-Solutions the main reason why LE is not supporting OV and EV is because the validation procedures are hard to automate.
For the sake of my curiosity, do you have any concrete proposal for how the various organization and business validations (that today involve several back and forth) could be automated and hence performed programmatically via API?
I have an example for France.
La Poste (the national mail service) offer a service called âLettre recommendĂ©eâ id est, you send a mail (actual paper mail) to someone or some organization, and âLa Posteâ do not give the mail without a proof of identity (usually the national identity card or a passport). Wikipedia tell me that this is called a Registered mail in English.
You can imagine letsencrypt sending a token to someone using a âLettre recommendĂ©eâ (via âLa Posteâ API), delegating the proof of identity to âLa Posteâ. Then letsencryt get the token a couple of days later, it knowns that âLa Posteâ has check that the identity in the mail is correct. Letsencrypt just has to make people paid the cost of the âLettre recommendĂ©â, currently 5,64 âŹ.
Of course, that suppose to trust âLa Posteâ for identity validation, and that may not be possibleâŠ
I donât known, but, how are actual proof of identity made for OV and EV certificates ?
Ădith; for the record, you can send âLettre RecommendĂ©eâ using this online form.
@Nit , what you describe is an external process that requires manual intervention and it canât be performed programmatically. Thatâs the issue.
But the manual process is externalized, from Letsencrypt point of views itâs automatic:
-
Send a token using the mail provider API.
-
Get (or not) the token from the user later (with a time-out in weeks).
-
identity is (or is not) validated.
No, itâs not, because both the client and LE have to manually interact with an external process. Moreover, the OV and EV validations require specific check about company details, itâs not just a matter of sending out a token. If that would be the case, there would be no need for using a physical mailing service (in fact thatâs what LE is doing today with the authorizations for the DV certificates).
In order to be evaluated, the entire process (from the client to the CA and them back to the client) should have no manual intervention. And what you described doesnât match this criteria.
Hello weppos,
CACert.org 's web of trust is a global network of persons who validated their identity against each other.
In this process, the so called âassurerâ assures the validity of personal documents (passport, driving licence and likewise) of the assuree in âface to face meetingâ. Once this process is done, the assurer enters the respective data into a web based form on the CACert.org website.
This means that from a CA point of view, this process is automated (or rather the manual process is âoutsourcedâ to the community members.
This process (although there are âextra requirementsâ on both parties) also applies for the assurance of organisations.
If you like to know more, I am certain there are knowledgable people about CACert.org near to your physical locationâŠ
Weppos - those company details may be available from government provided public data that could be fetched from an API.
Does anyone have an authoritative list of requirements for issuing an Extended Validation certificate? It might actually be possible to automate those tasks, at least within certain countries.
That would be the EV Guidelines. But no, they require that multiple people are needed to validate and authorise EV cert issuance.
Brushing off this old thread because Iâm very interested in having LE generated OV certs.
weppos, whatâs the issue with having a manual process that needs to be completed by the administrator, a paid trusted third party to handle that process, and then having an API between the third party and LE that allows them to confirm the OV or EV status of the requestor?
That way LE is still fully automated and free since the administrator is paying for the third party to validate them and confirm that validation with LE.
I think this would be a big conceptual change for LE, not least because of the need to negotiate arrangements with the trusted third party (at a technical level, at a business level, and at a CA issuance policy level).
I can tell you that when we started talking about what became the ACME protocol several years ago, we did want to have extensibility in the technology to handle roughly this kind of case, but probably from a different CA rather than our own CA. I believe that extensibility is basically there in the ACME technology and I think the ACME WG and client implementers would be very interested in working with any existing CA to add some kind of flow for offline identity validation and issuance of a paid cert. Not only would we not oppose it but I think we would be eager to help make it happen.
But as I said, I think administratively it would be tricky for the Letâs Encrypt CA to do thisâyou know, itâs not just an API, but also a complex business relationship which LE in turn would have to satisfy auditors aboutâand it could be a distraction from LEâs own core activity of DV issuance.
3 Likes
Hi @all, EV should be possible via payment APIs like of banks. Where you can fetch and compare automatically the Firstname / Lastname / Birthday or Company details.
hi @CoreTex
I think you are missing the point. The problem is not technology itâs people power
Auditors want a human to review the process. What you are describing works for payment gateways as there are only a few suppliers of information (VISA, MASTERCARD, AMEX)
When you get to trying to validate business names and validity (tax records, company establishment documents) it becomes a very different beast as every country has itâs own processes, government teams etc
Quite often when dealing with EV teams at other CAâs there is a lot of going back and forwards before the EV certificate is registered. They need to establish the business is real, the people requesting the Certs are related to the business and the business is in good standing order.
Even if this could be automated with an API this would still have a cost (from the provider of the API). Which negates the whole point of a free certificate authority.
Andrei