When I view a site's SSL certficiate from a browser, it always says in the "Issued to" section that the organisation is not part of the certificate.
If end users cannot independently verify my organisation (I assume the browser now does that for them), what is the practical value of having a OV/EV certificate? Is it for some other reason? If so, what?
I see that at the time of writing Comodo says that that not only does OV/EV show the organization details in the certificate, but:
In addition to the secure padlock symbol, EV SSL certificates activate
the “green address bar“ in select web browsers by displaying the
authenticated company name in green adjacent to the web address.
I don't think either statemet has been true for about a couple of years now for most browsers. They list some other benefits, but these seem marginal ("Comes with the ComodoCA Trust Logo" – is there much evidence that end users know or care about that?).
EDIT: Since I posted my question, I now see that there are some sites that have an organisation in their certificates: uk.yahoo.com (albeit showing as "Oath Inc") and www.bankofengland.co.uk. This obviously negates my initial point. But I think my main question still stands. Curious that Google don't use EV though.
Best Answer
An OV/EV certificate would contain the
O(Organization),C(Country), etc values (part of that the CA states that they have validated), all visible to any user who actually decides to look at it.In more detail, if we look at two different major branches of browsers:
For Chrome (92): for EV it shows directly in the overview that pops up when you click the padlock symbol "Issued to:
O[C]" (Organization name and country)For Firefox (90): for EV it shows directly in the overview that pops up when you click the padlock symbol "Certificate issued to:
O" (Organization name)(The "green address bar" mentioned in the question is in reference to a historical UI element that showed essentially the above information directly in the address bar.)
For Chrome and Firefox: for EV as well as OU, if you click through to view the actual certificate and go to the "Subject" section, you would have the full list of claimed information about the subject.
O(Organization),OU(Organizational Unit),L(Locality),S(State/Province),C(Country), whatever else may be included.So it is all there and can theoretically be inspected by any end user. The problem in this regard is that it is very rarely actually viewed by users in practice.
I suppose there is a slightly higher chance that the summary for EV certs (with
Oand sometimesC) is seen by a user, but even that is a real long shot.And for completeness, any of these certs only contain the values about the subject that have been validated by the CA, meaning that for DV certs, the subject section will not have any of this information as the CA has only validated that the subject controls the domain name in question. The useful part of a DV cert would really only be the SAN section, but that is what the browser is already validating for you and throwing a fit if there is a mismatch.