Domain-validated certificate

A domain-validated certificate (DV) is an X.509 digital certificate typically used for Transport Layer Security (TLS) where the identity of the applicant has been validated by proving some control over a DNS domain.^[1]^[2]

Issuing criteria[edit]

The sole criterion for a domain-validated certificate is proof of control over a domain. Typically control over a domain is determined using one of the following:

Response to email sent to the email contact in the domain's whois details
Response to email sent to a well-known administrative contact in the domain, e.g. (admin@, postmaster@, etc.)
Publishing a DNS TXT record
Publishing a nonce provided by an automated certificate issuing system

A domain-validated certificate is distinct from an Extended Validation Certificate in that this is the only requirement for issuing the certificate. In particular, domain-validated certificates do not assure that any particular legal entity is connected to the certificate, even if the domain name may imply a particular legal entity controls the domain.

User interface[edit]

Most web browsers may show a lock (often in grey, rather than the green lock typically used for an Extended Validation Certificate) and a DNS domain name. A legal entity is never displayed, as domain-validated certificates do not include a legal entity in their subject.

Mozilla Firefox historically showed domain validated certificates with a grey lock, but was modified to show a green lock for DV connections after Mozilla launched Let's Encrypt (which only provides domain-validated certificates).
Safari shows domain-validated certificates with a grey lock.
Microsoft Edge displays domain-validated certificates with a hollow grey lock.
Chrome and Chromium display a green lock.

Characteristics[edit]

As the low assurance requirements allow domain-validated certificates to be issued quickly without requiring human intervention, domain-validated certificates have a number of unique characteristics:

Domain-validated certificates are used in automated X.509 certificate issuing systems.
Domain-validated certificates are often cheap or free.

Criticism[edit]

DV does not authenticate the certificate holder as a real world entity[edit]

Domain validation reducing validation requirements for both Certificate Authorities and applicants. However Domain Validation does not assert the certificate belongs to a specific real world entity, but rather a DNS domain name - whether that domain has any association with a company or otherwise.

A domain validated HTTPS certificate for the domain paypal.com.removed-limits.com, being displayed as 'Secure' in the Chrome web browser.

References[edit]

^ "Domain Validated SSL? Why We Don't Offer It". www.digicert.com. Retrieved 2015-09-07.
^ "Domain Validated SSL Certificates". www.sslshopper.com. Retrieved 2015-09-07.

[1] "Domain Validated SSL? Why We Don't Offer It". www.digicert.com. Retrieved 2015-09-07.

[2] "Domain Validated SSL Certificates". www.sslshopper.com. Retrieved 2015-09-07.

[1]

[2]

Domain-validated certificate

Contents

Issuing criteria[edit]

User interface[edit]

Characteristics[edit]

Criticism[edit]

DV does not authenticate the certificate holder as a real world entity[edit]

References[edit]

Navigation menu

Personal tools

Namespaces

Variants

Views

More

Search

Navigation

Interaction

Tools

Print/export

Languages