I am one of Wesentra’s three verification specialists and have been trained and certified by Entrust Datacard. Our job is to find all the information necessary, verify an organization’s legal existence, contact customers, ascertain why they want to get an SSL/TLS certificate in the first place, and to help them with the verification process. We prepare the verification documents they need, and an auditor from Entrust Datacard checks the documents –either accepting the verification or asking for more information. Entrust Datacard has authorized four partners around the world to do this verification work; Wesentra is the only partner in Europe.
In my job I need to be precise, systematic, customer-friendly and patient. Verification work itself can sometimes be challenging. We need to be sure that the organizations and contact persons are truly who and what they claim to be. Sometimes reaching people by phone can be challenging. There can be difficulties if organizations have no switch board numbers (needed in EV verification). Luckily in Finland we have very good registries to check the contact details of organizations. From time to time we get also urgent verification cases and it is always great managing successfully to complete them in time with the customers.
Security for SSL/TLS certificate is provided by verification
CA (Certificate Authority) services and provision of SSL/TLS certificates are regulated by the CA/Browser Forum. This standardized regulation confirms that the SSL/TLS certificate has been verified by a trusted authority. There are three different levels of verification: Domain Validation (DV), Organizational Validation (OV), and Extended Validation (EV).
Domain Validation (DV)
This is the least secure way to have an SSL/TLS certificate because you only accept an e-mail sent by the CA. There is no organization verification or third-party check. The certificate just provides encryption. Visitors to the web site have no way of checking the identity of the organization providing the website.
Organizational Validation (OV)
In organizational validation, the CA checks your organization via third-party registries. The contact person employed by the organization is also verified and this person is typically contacted by phone. Website visitors can look for the SSL/TLS certificate and see the name of the organization providing the website as well as the name of the CA who carried out the validation.
Extended Validation (EV)
Even more third-party registries are needed for extended validation than in OV, and two people from the organization are contacted for verification. Visitors to the website can see the name of the organization in the address bar as well as a green padlock icon. This high-quality SSL/TLS certificate provides the best security, for example, against phishing sites which mimic the real website addresses, and which typically have a DV certificate.
Also the domains need to be verified
Organizations that want an SSL/TLS certificate also need to show they control the target domain. There are three different methods to verify this domain (DNS, email, or web server).