What is the long term future for Extended Validation TLS certificates?
One of the things I wonder about with Extended Validation TLS certificates is what things will look like for them in the long term, say five to ten years. I don't think things will look like today, because as far as I can see EV certificates are in an unstable situation today since in practice they're invisible and so don't provide any real benefits. Commercial Certificate Authorities certainly very much want EV certificates to catch on and become more important, but so far it hasn't happened and it's quite possible that things could go the other way.
So here are some futures that I see for EV certificates, covering a range of possibilities:
- EV certificates become essentially a superstition that lingers on
as 'best practices' among large corporations for whom both the
cost and the bureaucracy are not particularly a factor in their
choices. These organizations are unlikely to go with CAs like
Let's Encrypt anyway, so while they're paying for some TLS
certificates they might as well pay a bit more, submit some more
paperwork, and get something that makes a minor difference in
- EV certificates will become quietly irrelevant and die off. CAs
won't be able to do enough EV certificate business to make it
worth sustaining the business units involved, so they'll quietly
exit the unprofitable business.
- Browsers will become convinced that EV certificates provide no
extra value (and if anything they just confuse users in practice)
and will remove the current UI, making EV certificates effectively
valueless and killing almost all of the business. Browsers hold all
the cards here and at least Mozilla has openly refused to commit to
any particular UI for EV certificates. See, for example,
Ryan Hurt's "Positive Trust Indicators and SSL", which also dumps some rain
on EV certificate problems.
One thing that could tip the browser balance here is scandals in CAs issuing (or not issuing) EV certificates improperly. If EV certificates seem not necessarily routinely worth extra trust, it becomes more likely that browsers will stop giving them any extra trust indicators.
- CAs will persuade browser vendors to make some new browser features
having an EV certificate, on the grounds that such sites are 'extra
trustworthy'. I don't think this is likely to happen, but I'm sure
CAs would like it to since it would add clear extra value to EV
certificates and browsers are making APIs conditional on HTTPS.
(A 'must be HTTPS' API restriction has a good reason for existing, one that doesn't apply to EV certificates specifically, but that's another entry.)
- CAs will persuade some other organization to make some security
standard require or strongly incentivize EV certificates; the
obvious candidate is PCI DSS,
which already has some TLS requirements. This would probably be
easier than getting browsers to require EV certificates for things
and it would also be a much stronger driver of EV certificate
sales. I'm sure the CAs would love this and I suspect that at
least some companies affected by PCI DSS wouldn't care too much
either way. However, some CA moves on EV certificates might harm
(On the other hand, some large ones would probably care a lot because they already have robust TLS certificate handling that would have to be completely upended to deal with the requirements of EV certificates. For instance, Amazon is not using an EV certificate today.)
On the balance the first outcome seems most likely to me at the moment, but I'm sure that CAs are working to try to create something more like the latter two since EV certificates are probably their best hope for making much money in the future.
(I also wonder what the Certificate Authority landscape will look like in five to ten years, but I have fewer useful thoughts on that apart from a hope that Let's Encrypt is not the only general-use CA left. I like Let's Encrypt, but I think that a TLS CA monoculture would be pretty dangerous.)