SSL Validation Methods: Not all CAs are the Same

When obtaining an SSL Certificate, the Certificate Authority (CA) performs a verification of the requesting organizations identity that will vary depending on the level of authentication that type of certificate requires. While CA’s offer the same levels of authentication, there is a difference in their validation methodologies.

What are the main differences in validation by SSL Providers?

Validation may be performed in one of two ways: manually or automatically.

Traditionally manual validation (as used by VeriSign, Thawte, Entrust) has been cumbersome, long winded and expensive for the SSL Provider and therefore the purchaser. Automated validation (as used by GeoTrust and GoDaddy) is faster and more cost-effective, yet does not provide the level of assurance expected by consumers relying on SSL – For example GeoTrust’s Quick SSL Certificates only validate the applicant’s right to use a domain name and not the legitimacy of the company itself.

Comodo, in using IdAuthority, innovated the method of conducting High Assurance validation (both domain name ownership and company legitimacy) resulting in a far high assurance SSL certificate providers. This ensures a speedy issuance process without compromising the assurance level of the SSL certificate.

Does strong validation really matter?

Validation is essential!
It provides the underlying trust infrastructure that consumers have begun to reply upon. Firstly the applicant must be deemed to have a legitimate right to using a domain name, and secondly the applicant must be a legitimate legally responsible entity. All High Assurance providers will perform a two step validation process, with Low Assurance providers like GeoTrust and GoDaddy only performing a domain name ownership check.

The lack of validation performed by some SSL Providers caused concern throughout the industry such that Opera with the release of 8 and Microsoft with Internet Explorer 7 both offering consumers the ability to view enhanced details about the certificate. As summarized in the Gartner report “Secure Sockets Layer sometimes isn’t” low assurance providers may be responsible for the lack of trust in SSL by consumers. As consumers learn from high profile sources that SSL Certificates from GeoTrust and GoDaddy do not necessarily mean they are dealing with a verified legal entity, the confidence in GeoTrust certificates will be reduced. Sites purchasing from GeoTrust and GoDaddy may potentially find their SSL Certificates do not provide customers with the level of trust they expect and require.