OV certificates are even worse. The verification is a hassle and it's extremely difficult to distinguish OV from DV. Try to figure it out. The only way I'm aware of is to make sure the `Policy Identifier` [1] of the certificate is `2.23.140.1.2.2`.
I've also never had a good experience with the validation process from any of the CAs. They often push anything that's not immediately discoverable back to the applicant and expect them to do the leg work. I've had both Comodo and DigiCert do this to me in the past. Here's an example from DigiCert. This happened this year (2022).
> First, As part of the verification process, we are required to confirm the registration of your organization with the local registering authority.
> We have attempted to locate the registration records using online resources, however we have not been able to locate such a document. If you are aware of any government based search tools for your jurisdiction that can be used to locate proof of the organization's registration, please reply to this email with a link and instructions for locating that record. Once received, our validation team will confirm the record and proceed with the validation process.
Really? To me that seems like someone who isn't familiar with my jurisdiction because they don't know the process. What's stopping me from sending them a link to a fake, official looking site? It seems like an invitation for social engineering. Code signing certificates are the same. It's infuriating.
In my experience, they look for your company on Google Local (or whatever it's called now) or similar and if they can't find it they punt it back to you. I think the whole process is worse than nothing because it's selling a false sense of security for anyone who believes the marketing.
From a customer value standpoint, I'd rather pay for a DV certificate where the value comes from helping me to set up proper CAA records to prevent mis-issuance as well as certificate monitoring for any potential lookalike domains. Of course, the margins on that probably wouldn't be as good.
Thankfully I only deal with one place that insists on buying expensive certificates because "they're better". Just for fun sometime go look at the TLS certificates used by all of your local government websites and try to figure out what they cost. Then factor in the labor for multiple people to coordinate annual renewals and manual installation. It's frustrating.
I've also never had a good experience with the validation process from any of the CAs. They often push anything that's not immediately discoverable back to the applicant and expect them to do the leg work. I've had both Comodo and DigiCert do this to me in the past. Here's an example from DigiCert. This happened this year (2022).
> First, As part of the verification process, we are required to confirm the registration of your organization with the local registering authority.
> We have attempted to locate the registration records using online resources, however we have not been able to locate such a document. If you are aware of any government based search tools for your jurisdiction that can be used to locate proof of the organization's registration, please reply to this email with a link and instructions for locating that record. Once received, our validation team will confirm the record and proceed with the validation process.
Really? To me that seems like someone who isn't familiar with my jurisdiction because they don't know the process. What's stopping me from sending them a link to a fake, official looking site? It seems like an invitation for social engineering. Code signing certificates are the same. It's infuriating.
In my experience, they look for your company on Google Local (or whatever it's called now) or similar and if they can't find it they punt it back to you. I think the whole process is worse than nothing because it's selling a false sense of security for anyone who believes the marketing.
From a customer value standpoint, I'd rather pay for a DV certificate where the value comes from helping me to set up proper CAA records to prevent mis-issuance as well as certificate monitoring for any potential lookalike domains. Of course, the margins on that probably wouldn't be as good.
Thankfully I only deal with one place that insists on buying expensive certificates because "they're better". Just for fun sometime go look at the TLS certificates used by all of your local government websites and try to figure out what they cost. Then factor in the labor for multiple people to coordinate annual renewals and manual installation. It's frustrating.
1. PDF Warning: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-...