Validation techniques for SSL Certs

You've bought and SSL and now you need to validate it. What does that mean and how do you make it happen?

In the most basic terms, the SSL providers are asking you to prove that you are who you say you are. They require this so that they can be confident vouching for the security of your website. There are three methods of validating your new SSL certificate. These are:

  • Domain Validation
  • Organisation Validation
  • Extended Validation
    All three techniques will vary in terms of the length of time to complete and will affect the processing of an SSL order.

Domain Validation

The Domain Validation (DV) is a two step process involving the CA and end user.

  1. A domain name check, involving an automatic WHOIS lookup, which retrieves and checks the domain name email address for the registrant contact.
  2. A Certificate Approval is carried out via a system generated email, which is sent to the email address nominated through the domain name check process.

Organisation Validation

Organisation Validation (OV) is the second level of validation used by the CA. OV is considered to be a four step process compromising of the following:

  1. Domain name check is similar to that of DV, however a WHOIS is carried out to confirm the organisation listed in the application is in fact the owner of the domain name. In some instances, a business certificate can be used to prove ownership for entities such as a Trading Name, Trade Marks and Registered Business Name (RBN).
  2. Organisation name check is carried out by VeriSign to ensure the organisation listed on the application is a legitimate entity. VeriSign have agreed with Melbourne IT to use local look ups to determine Australian organisations (ASIC and ABR as a secondary resource). Traditionally, a look up is made through Secretary of States (SOS) or a Dun and Bradstreet database.
  3. Telephone number check is carried out to find a publicly listed telephone number that is registered to the nominated organisation found on the application. Note, both landline and mobile numbers are acceptable.
  4. The verification call is made to the publicly listed contact telephone number. The conversation is to confirm the SSL order has been made.

Extended Validation

Extended Validation (EV) is the most comprehensive authentication process available. Customers who want maximum security should purchase an SSL which uses this method of validation. The EV process consists of 8 to 11 steps which is carried out by the support team.

  1. A check on denied lists are carried out (Denied Countries, Black List and Phishing List)
  2. Check if the organisation is greater or less than three years old
  3. Confirm employment of the Corporate Contact listed on the application through the organisation's HR manager. A mobile contact cannot be supplied here
  4. Verify the organisation address
  5. Domain name check is similar to that of DV, however a WHOIS is carried out to confirm the organisation listed in the application is in fact the owner of the domain name
  6. A third party telephone listing is obtained through a Telephone Directory, Web Site, etc
  7. Confirm authentication of the corporate contact (Step 7 can be ignored only if Step 3 was fulfilled)
  8. A Lawyer's Opinion Letter is required if the customer support team can't authenticate any of the Steps from 2 to 7
  9. Support will verify the Lawyer's Authority and registration (if applicable)
  10. Support will verify the Lawyer's Opinion Letter
  11. A final verification call will be made with the corporate contact