What is the long term future for Extended Validation TLS certificates?

May 31, 2018

One of the things I wonder about with Extended Validation TLS certificates is what things will look like for them in the long term, say five to ten years. I don't think things will look like today, because as far as I can see EV certificates are in an unstable situation today since in practice they're invisible and so don't provide any real benefits. Commercial Certificate Authorities certainly very much want EV certificates to catch on and become more important, but so far it hasn't happened and it's quite possible that things could go the other way.

So here are some futures that I see for EV certificates, covering a range of possibilities:

  • EV certificates become essentially a superstition that lingers on as 'best practices' among large corporations for whom both the cost and the bureaucracy are not particularly a factor in their choices. These organizations are unlikely to go with CAs like Let's Encrypt anyway, so while they're paying for some TLS certificates they might as well pay a bit more, submit some more paperwork, and get something that makes a minor difference in browsers.

  • EV certificates will become quietly irrelevant and die off. CAs won't be able to do enough EV certificate business to make it worth sustaining the business units involved, so they'll quietly exit the unprofitable business.

  • Browsers will become convinced that EV certificates provide no extra value (and if anything they just confuse users in practice) and will remove the current UI, making EV certificates effectively valueless and killing almost all of the business. Browsers hold all the cards here and at least Mozilla has openly refused to commit to any particular UI for EV certificates. See, for example, Ryan Hurt's "Positive Trust Indicators and SSL", which also dumps some rain on EV certificate problems.

    One thing that could tip the browser balance here is scandals in CAs issuing (or not issuing) EV certificates improperly. If EV certificates seem not necessarily routinely worth extra trust, it becomes more likely that browsers will stop giving them any extra trust indicators.

  • CAs will persuade browser vendors to make some new browser features (in JavaScript, DOM and host APIs, CSS, etc) conditional on the site having an EV certificate, on the grounds that such sites are 'extra trustworthy'. I don't think this is likely to happen, but I'm sure CAs would like it to since it would add clear extra value to EV certificates and browsers are making APIs conditional on HTTPS.

    (A 'must be HTTPS' API restriction has a good reason for existing, one that doesn't apply to EV certificates specifically, but that's another entry.)

  • CAs will persuade some other organization to make some security standard require or strongly incentivize EV certificates; the obvious candidate is PCI DSS, which already has some TLS requirements. This would probably be easier than getting browsers to require EV certificates for things and it would also be a much stronger driver of EV certificate sales. I'm sure the CAs would love this and I suspect that at least some companies affected by PCI DSS wouldn't care too much either way. However, some CA moves on EV certificates might harm this.

    (On the other hand, some large ones would probably care a lot because they already have robust TLS certificate handling that would have to be completely upended to deal with the requirements of EV certificates. For instance, Amazon is not using an EV certificate today.)

On the balance the first outcome seems most likely to me at the moment, but I'm sure that CAs are working to try to create something more like the latter two since EV certificates are probably their best hope for making much money in the future.

(I also wonder what the Certificate Authority landscape will look like in five to ten years, but I have fewer useful thoughts on that apart from a hope that Let's Encrypt is not the only general-use CA left. I like Let's Encrypt, but I think that a TLS CA monoculture would be pretty dangerous.)

Written on 31 May 2018.
« Extended Validation TLS certificates are basically invisible
Intel versus AMD for me (in 2018) »

Page tools: View Source, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Thu May 31 23:35:58 2018
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.