Domain Validated vs. Organization Validated SSL

How to tell DV and OV SSL Certificates apart

There are three kinds of SSL certificates: Domain Validation (DV), Organization Validation (OV) and Extended Validation (EV).

Many articles have been written on how browsers display the differences between EV SSL and non-EV SSL (with the activation of the green bar being the most obvious). However, to determine the difference between the non-EV SSL certificates, namely DV and OV, it’s necessary to review the structure of the certificate itself.

Deterministic Approach

Today the only way to know with confidence that a certificate is of a specific type is to know the practices of each CA. In the X.509 PKI/Digital Certificate standard, the way an issuer is supposed to express their practices is via the Certificate Policies extension as defined in RFC 5280.

This allows a CA to express a unique identifier (an OID) in issued certificates that maps to a document describing its practices associated with this certificate. This identifier can be used programmatically to make trust decisions about a certificate or to differentiate the user interface in an application based on the type of certificate.

This is exactly how browsers today can tell if a certificate is an EV Certificate. In essence they have some configuration that says “I trust GlobalSign to issue EV Certificates, when a certificate is presented to me from them that has this policy OID, show the EV user experience, such as activating the green address bar.”

The CAB/Forum Baseline Requirements use the same approach defining identifiers for Domain Validated and Organization Validated certificates, these are:

Type Policy Identifier
Domain Validated 2.23.140.1.2.1
Organization Validated 2.23.140.1.2.2

Having these identifiers takes us a long way towards our goal of deterministic evaluation of certificate issuance policy — that said, not all CAs have yet adopted them.

Heuristic Approach

Since the CA/B Forum Baseline Requirements were only established in 2012, it will naturally take some time for the existing install base of certificates to be reissued to use these Policy Identifiers called about above. GlobalSign’s CTO, Ryan Hurst, details some example code on how to configure your application to determine certificate class without reliance on object identifiers:

Ryan Hurst on heuristic approaches to determining certificate classes: http://unmitigatedrisk.com/?p=203.

Summary

Unfortunately today there is not a deterministic way to tell if a certificate was Domain or Organization Validated, however, things are changing and within a few years hopefully it will be possible.

In the meantime there are heuristics you can use that help tell these types of certificates apart.