Validating Your SSL Investment

The importance of organization validation (OV).

SSL certificate providers employ different methods for verifying the identities of the organization or individual purchasing SSL certificates. Unfortunately, not all validation processes meet the same standards. And it's important to understand the difference.

Certificates verified using organization validation (OV) or extended validation (EV) practices contain the verified name of the entity that controls the website. Certification authorities (CA) issuing these certificates check with third parties to establish the official name of the organization and where they are located.

Importantly, the CA takes further steps to contact the requesting organization to confirm that they did, indeed, request the certificate and that the requester is authorized to receive the certificate on behalf of the organization. When visiting a website using an OV or an EV certificate, the end-user can use the certificate to verify that they are sending their transaction data to the intended recipient.

The DV dilemma?

In contrast, domain-validated certificates are typically verified and issued through automated processes. Human intervention is minimized and organization checks are eliminated — a tactic that supports issuing certificates in a quick, cheap manner.

And as you might guess, a DV certificate contains no identifying information in the organization name field. Typically, this value just re-states the domain name or simply says "Persona Not Validated." In other words, although the certificate supports transaction encryption, the end-user cannot trust the certificate to confirm who is on the other end. So the transaction is encrypted for whom?

At Entrust, 100 percent of our SSL certificates provide organization identity. All of our SSL certificates are intended to provide security, accountability and trust.