Certification Authorities have a responsibility to ensure they only ever issue SSL Certificates to legitimate companies. This may only be achieved by employing stringent validation processes to ensure issuance practices only allow the SSL Certificate to be issued to a legitimate company. After all, anyone relying on the presence of an SSL Certificate will do so not just for the encryption factor, but also to indicate the legitimacy of the site. Whether they realize it or not, consumers dictate that Certification Authorities have a duty to perform satisfactory validation for all SSL Certificate applicants. If validation is weak, consumer confidence in SSL Certificates will be undermined. All SSL Certificates are not equal.
The value of an SSL is protected by the strength of a standard two-point validation process:
- Step 1: Verify that the applicant owns, or has legal right to use, the domain name featured in the application.
- Step 2: Verify that the applicant is a legitimate and legally accountable entity.
The compromise of either step endangers the message of trust and legitimacy provided to the end consumer. This validation step relies on the use of Domain Name Registrar details to validate ownership of a domain name and then a challenge email is sent to the listed administrator of the domain name. If the challenge is met with a successful reply, the Certificate will be issued.