CA/Browser Forum

About EV SSL

Objectives of Extended Validation

The primary objectives of an EV SSL Certificate are to:

  1. Identify the legal entity that controls a web site by providing reasonable assurance to the user of an Internet browser that the web site the user is accessing is controlled by a specific legal entity identified in the EV Certificate by name, address of Place of Business, Jurisdiction of Incorporation or Registration and Registration Number or other disambiguating information; and
  2. Enable encrypted communications with a web site by facilitating the exchange of encryption keys in order to enable the encrypted communication of information over the Internet between the user of an Internet browser and a web site.

The secondary objectives (which are derived from the primary) are to help establish the legitimacy of an entity claiming to operate a Web site, and to provide a vehicle that can be used to assist in addressing problems related to phishing, malware, and other forms of online identity fraud. By providing more reliable third-party verified identity and address information regarding the entity, EV SSL Certificates may help to:

  1. Make it more difficult to mount phishing and other online identity fraud attacks using Certificates;
  2. Assist companies that may be the target of phishing attacks or online identity fraud by providing them with a tool to better identify themselves to users; and
  3. Assist law enforcement organizations in their investigations of phishing and other online identity fraud, including where appropriate, contacting, investigating, or taking legal action against the entity.

About Extended Validation Identity Vetting

The Extended Validation Guidelines (EVG) contain a set of steps required to validate entity identity information prior to the issuance of an EV SSL Certificate. Since 2012 the EVG has incorporated the identity vetting steps found in the Baseline Requirements by reference (see About the Baseline Requirements).

Certification Authorities (CAs) may only issue EV SSL Certificates to Private Organizations, Government Entities, Business Entities and Non-Commercial Entities that satisfy the requirements specified below. The EVG sets forth slightly different verification requirements for the different entities entitled to apply for EV SSL certificates. Each of the required elements below must be verified. The EVG set forth more detailed requirements and acceptable methods of verifying a particular fact that is asserted by the applicant. Additional details about the vetting process, beyond the criteria listed below, appear throughout Section 11 of the EVG.

Private Organizations

An Applicant qualifies as a Private Organization if:

  1. The entity’s legal existence is created or recognized by a filing with (or an act of) the Incorporating or Registration Agency in its Jurisdiction of Incorporation or Registration (e.g., by issuance of a certificate of incorporation, registration number, etc.) or created or recognized by a Government Agency (e.g. under a charter, treaty, convention, or equivalent recognition instrument);
  2. The entity designated with the Incorporating or Registration Agency a Registered Agent, a Registered Office (as required under the laws of the Jurisdiction of Incorporation or Registration), or an equivalent facility;
  3. The entity is not designated on the records of the Incorporating or Registration Agency by labels such as “inactive,” “invalid,” “not current,” or the equivalent;
  4. The entity has a verifiable physical existence and business presence;
  5. The entity’s Jurisdiction of Incorporation, Registration, Charter, or License, and/or its Place of Business is not in any country where the CA is prohibited from doing business or issuing a certificate by the laws of the CA’s jurisdiction; and
  6. The entity is not listed on any government denial list or prohibited list (e.g., trade embargo) under the laws of the CA’s jurisdiction.

Government Entities

An Applicant qualifies as a Government Entity if:

  1. The entity’s legal existence was established by the political subdivision in which the entity operates;
  2. The entity is not in any country where the CA is prohibited from doing business or issuing a certificate by the laws of the CA’s jurisdiction; and
  3. The entity is not listed on any government denial list or prohibited list (e.g., trade embargo) under the laws of the CA’s jurisdiction.

Business Entities

An Applicant qualifies as a Business Entity if:

  1. The entity is a legally recognized entity that filed certain forms with a Registration Agency in its jurisdiction, the Registration Agency issued or approved the entity’s charter, certificate, or license, and the entity’s existence can be verified with that Registration Agency;
  2. The entity has a verifiable physical existence and business presence;
  3. At least one Principal Individual associated with the entity is identified and validated by the CA;
  4. The identified Principal Individual attests to the representations made in the Subscriber Agreement;
  5. The CA verifies the entity’s use of any assumed name used to represent the entity pursuant to the requirements in the EVG;
  6. The entity and the identified Principal Individual associated with the entity are not located or residing in any country where the CA is prohibited from doing business or issuing a certificate by the laws of the CA’s jurisdiction; and
  7. The entity and the identified Principal Individual associated with the entity are not listed on any government denial list or prohibited list (e.g., trade embargo) under the laws of the CA’s jurisdiction.

Non-Commercial Entities

An Applicant qualifies as a Non-Commercial Entity if:

  1. The Applicant is an International Organization Entity, created under a charter, treaty, convention or equivalent instrument that was signed by, or on behalf of, more than one country’s government. The CA/Browser Forum may publish a listing of Applicants who qualify as an International Organization for EV eligibility; and
  2. The Applicant is not headquartered in any country where the CA is prohibited from doing business or issuing a certificate by the laws of the CA’s jurisdiction; and
  3. The Applicant is not listed on any government denial list or prohibited list (e.g., trade embargo) under the laws of the CA’s jurisdiction.

Subsidiary organizations or agencies of an entity that qualifies as a Non-Commercial Entity also qualify for EV Certificates as Non-Commercial Entities.

Since 2012, the Baseline Requirements have been incorporated by reference into, and form part of, the CA/Browser Forum’s Extended Validation Guidelines.

Latest releases
Code Signing Requirements
v3.8 - Aug 5, 2024

What’s Changed CSC-25: Import EV Guidelines to CS Baseline Requirements by @dzacharo in https://github.com/cabforum/code-signing/pull/38 Full Changelog: https://github.com/cabforum/code-signing/compare/v3.7...v3.8

S/MIME Requirements
v1.0.7 - Ballot SMC09 - Nov 25, 2024

This ballot includes updates for the following: • Require pre-linting of leaf end entity Certificates starting September 15, 2025 • Require WebTrust for Network Security for audits starting after April 1, 2025 • Clarify that multiple certificatePolicy OIDs are allowed in end entity certificates • Clarify use of organizationIdentifer references • Update of Appendix A.2 Natural Person Identifiers This ballot is proposed by Stephen Davidson (DigiCert) and endorsed by Clint Wilson (Apple) and Martijn Katerbarg (Sectigo).

Network and Certificate System Security Requirements
v2.0 - Ballot NS-003 - Jun 26, 2024

Ballot NS-003: Restructure the NCSSRs in https://github.com/cabforum/netsec/pull/35

Edit this page
The Certification Authority Browser Forum (CA/Browser Forum) is a voluntary gathering of Certificate Issuers and suppliers of Internet browser software and other applications that use certificates (Certificate Consumers).