EV certificates still depend on identity proofs browsers can trust

At a glance

What this is: This is an analysis of how EV certificates function as an identity and brand-protection control, and why current issuance and transparency practices still leave gaps.

Why it matters: It matters because certificate governance increasingly sits at the intersection of NHI, trust validation, and enterprise brand protection, which IAM and security teams cannot treat as a pure PKI issue.

By the numbers:

• EV certificates became widely available in 2007.

👉 Read DigiCert's analysis of EV certificates, brand protection, and CAA policy

Context

Extended Validation certificates sit in the trust layer between public web identities and the controls that prove who controls a domain or branded service. In practice, the governance problem is not encryption alone, but whether certificate issuance accurately reflects the legal entity, trademark, and authorization behind the identity being presented.

For IAM and security teams, this is a lifecycle question as much as a PKI question. If certificate issuance, dispute handling, and revocation evidence are weak, identity claims can persist without clear ownership, which creates risk across human-facing brands, service endpoints, and non-human credentials tied to those services.

The article argues that EV's value is tied to brand protection, but that value depends on better-defined issuance policy, certificate transparency, and evidence that CA checks were actually performed. Those are governance requirements, not just administrative preferences.

Key questions

Q: How should organisations govern certificate issuance when brand ownership is contested?

A: They should treat certificate issuance as an authorization problem, not just a validation step. The request should be checked against legal entity ownership, trademark evidence, and domain control before issuance. If there is any duplicate or contested name, issuance should pause until dispute handling confirms who is authorized to represent the brand.

Q: Why do CAA records and certificate transparency need to work together?

A: CAA defines who may issue a certificate, but it only helps if the CA actually checks the record and keeps evidence of the result. Certificate Transparency adds visibility after issuance, which helps organizations detect unexpected or unauthorized certificates. Used together, they provide both preventative policy and downstream detection.

Q: What do security teams get wrong about EV certificates?

A: They often assume EV is mainly about stronger encryption, when the real value lies in identity assurance and brand protection. If issuance, naming, and evidence controls are weak, an EV certificate can still validate the wrong party. That is why governance around ownership matters as much as the certificate itself.

Q: Who should own certificate disputes when duplicate names appear?

A: Ownership should sit jointly with security, legal, and DNS or certificate operations, because the issue combines identity proof, brand rights, and infrastructure control. A clear escalation path should define what evidence is required, who can approve a claim, and when issuance must be blocked until resolution is complete.

Technical breakdown

How EV issuance turns certificate requests into identity checks

EV issuance is more than a cryptographic enrollment step. The CA compares a request against previously issued EV certificates, looks for duplicate name claims, and may block issuance until ownership and authorization are resolved. That process tries to connect the certificate to a legal entity, not just a domain name, which is why EV is often discussed as a trust and branding control. The weakness is that the process depends on CA policy consistency and on evidence that the review actually happened. Without that evidence, the issuance path becomes hard to audit after the fact.

Practical implication: treat EV issuance as an auditable identity workflow, not a clerical certificate request.

CAA records and certificate transparency need evidence, not just policy

CAA records let a domain publish which CAs and which certificate types are allowed, but CAA is only useful if the CA actually checks and records the result. DigiCert's critique is that point-in-time checks without retained evidence are hard to verify later, especially if a CA claims a timeout or missing response. Certificate Transparency addresses a different failure mode by making issued certificates visible in public logs, which helps organizations detect unauthorized issuance or brand misuse. Together, these controls only work when policy, logging, and review are all present.

Practical implication: require retained CAA check evidence and monitor CT logs as part of certificate governance.

Brand protection is a governance outcome, not a browser feature

EV was originally intended to help distinguish legitimate sites from phishing, but the article makes clear that users do not reliably distinguish one legal entity from another with similar names. That means the control is only partially effective if the broader ecosystem cannot resolve disputes, validate trademarks, and preserve issuance records across CAs. In security terms, the identity proof is only as strong as the lifecycle around it: request, authorization, issuance, monitoring, and dispute resolution. Practical implication: align certificate policy with brand ownership and offboarding processes, not just TLS configuration.

Practical implication: manage EV as part of identity lifecycle and brand governance, not just TLS hardening.

Threat narrative

Attacker objective: The objective is to obtain a certificate that lends credibility to a fraudulent or unauthorized identity claim and undermines brand trust.

1. Entry occurs when a requester submits a legitimate-looking EV certificate application that satisfies formal validation checks but does not reflect the true trademark owner.
2. Escalation happens when duplicate-name claims or missing authorization create a dispute, and the control outcome depends on whether the CA can verify prior ownership and policy compliance.
3. Impact is unauthorized certificate issuance or delayed protection for the rightful brand, which can weaken trust and assist phishing or impersonation.

Breaches seen in the wild

• Sisense breach — unauthorized GitLab access led to exfiltration of access tokens, API keys and certificates.
• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

EV certificates expose an identity governance problem, not just a browser trust problem. The article shows that certificate issuance can validate a legal shell while still failing to protect the real controlling entity's brand. That means the control plane is broader than TLS, because name resolution, trademark ownership, and issuance evidence all shape whether identity claims are trustworthy. Practitioners should treat EV as part of identity governance, not as a standalone encryption feature.

Certificate Transparency is only useful when organisations can operationalise it. Public logs do not create security on their own; they create visibility that must be monitored and acted on. If organizations do not watch for unauthorized issuance or duplicate name claims, CT becomes an archive rather than a control. The implication is that certificate governance must include detection, ownership, and response workflows, not just issuance policy.

EV squatting is a lifecycle failure disguised as a validation success. The first entity to secure a name can create a lock-in effect that outlives legitimate ownership clarity. That is a governance premise designed for a stable, single-owner naming environment, and it fails when certificate names are contested or reused across entities. The implication is that issuance policy must account for dispute resolution and offboarding, not just initial registration.

Brand protection should be handled as a cross-functional identity control. The article ties EV to corporate reputation, not merely to site encryption. That places legal, security, DNS, and certificate teams in the same governance chain, because one weak link can allow a misleading certificate to exist. Practitioners should map certificate authority policy to the same ownership and accountability standards used for other identity assets.

From our research:

• 53% of organisations have experienced a security incident directly related to machine identity management failures, according to The Critical Gaps in Machine Identity Management report.
• Only 38% have automated certificate lifecycle management in place, which shows how often lifecycle governance still lags behind identity risk.
• For a broader view of credential exposure and lifecycle failure patterns, review NHI Lifecycle Management Guide and compare it with your certificate governance process.

What this signals

EV governance is moving toward proof-bearing policy, not trust by assertion. If certificate authorities cannot show how they checked CAA records or how they resolved name conflicts, organizations will increasingly treat issuance evidence as part of the control itself. The practical shift is toward auditability, not just validation.

With 91% of former employee tokens remaining active after offboarding, per the 2025 State of NHIs and Secrets in Cybersecurity, lifecycle drift is already the default failure pattern across identity systems. Certificate governance should be judged by the same standard: who can still assert control after the original owner changes.

The next maturity step is to connect certificate policy to the same ownership model used for other NHI assets, including offboarding, dispute handling, and visibility. That is how brand protection becomes a durable control rather than a point-in-time check.

For practitioners

• Map EV issuance to identity ownership records Align certificate request approvals with trademark, legal entity, and domain ownership records so a valid form submission cannot override true authority.
• Retain proof of CAA checks Require certificate authorities to preserve CAA lookup results, timeout handling, and issuance decisions so policy compliance can be verified later.
• Monitor certificate transparency logs for duplicate claims Use CT log review to spot certificates issued under similar names, unexpected issuance patterns, or unauthorized certificates tied to your brand.
• Build a dispute workflow for contested names Define who resolves duplicate-name conflicts, what evidence is required, and how certificate issuance is paused until ownership is confirmed.

Key takeaways

• EV certificates are only as strong as the ownership, evidence, and dispute controls behind them.
• Certificate Transparency and CAA are complementary, but both fail if organisations do not retain proof and monitor outcomes.
• Practitioners should govern EV as part of identity lifecycle management, with explicit ownership and escalation paths.

Key terms

• Extended Validation Certificate: An Extended Validation certificate is a public certificate that links a website or service to a verified legal entity. In practice, it is meant to strengthen trust by connecting technical encryption with organizational identity, but its value depends on how well issuance, naming, and dispute controls are enforced.
• Certificate Authority Authorization: Certificate Authority Authorization is a DNS policy record that tells certificate authorities which CAs may issue certificates for a domain and under what conditions. It helps control unauthorized issuance, but it only provides real governance when CA checks are performed consistently and preserved as evidence.
• Certificate Transparency: Certificate Transparency is a public logging system for certificates that makes issued certificates easier to detect and review. It does not stop issuance by itself, but it creates visibility that helps organizations discover unauthorized or unexpected certificates and respond before trust is exploited.

Deepen your knowledge

NHI governance, machine identity security, and secrets management are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or lifecycle governance in your organisation, it is worth exploring.

This post draws on content published by DigiCert: EV Certificates & DigiCert. Read the original.