Plans for Extended Validation?


It’d be really cool if Let’s Encrypt were to implement a model where private organizations could issue EV certificates on behalf of Let’s Encrypt. This could potentially drive down the costs of EV certificates which would benefit everyone in the long term.


That wouldn’t really change anything - those organizations would still need to perform all of the CABF-required validation, maintain audits, etc., which is a large part of the cost for EV certificates. Plus, I’m not sure how comfortable Let’s Encrypt would be with trusting the validity of their roots to third-parties coming in to be the lowest bidder. If one of these was found to be falsely verifying applicants, that would cause the Let’s Encrypt root to be distrusted.


This will never happen because they would need to pay someone to issue an EV SSL which would cost tons of money that Let’s Encrypt would lose.


What about making them paid, thus giving a lot more businesses the opportunity to “donate” to LE?


Even humans are prone to errors, when criminals are really into it. Think about “community” approved after you read this.


I don’t think the extra money would be worth the implementation effort and ongoing additional administrative complexity for Let’s Encrypt. It also considerably complicates the explanation of the nature of the CA’s services, and would probably make some prospective users suspicious of the nonprofit bona fides of the service because some of them might start to worry that the free DV certificates existed only or mainly in order to try to upsell users on paid EV certificates.


There’s a for-profit certificate reseller service that has already tried to automate the parts of the EV process that can be readily automated:

So people who like the idea of (relatively) automated CAs and want to pay someone for an EV certificate could give them a try. And if the ACME technology continues to get more adoption and integration, maybe this reseller or another one will support it as part of an EV deployment workflow in the future.


Someone from CertSimple (the founder?) is quite active on that orange website, and I recall them saying on one of the threads about Let’s Encrypt
that they were very interested in offering ACME support in the future.

So definitely let them know if that’s something you are interested in.