Notifications
Clear all
Topic starter
25/06/2026 10:35 pm
TL;DR: EV certificates are less about encryption alone and more about brand protection, with CA checks, certificate transparency, and disputed-name handling shaping whether identity claims can be trusted in practice, according to DigiCert. That makes certificate policy, ownership, and disclosure part of identity governance, not just PKI administration.
NHIMG editorial — based on content published by DigiCert: EV Certificates & DigiCert
By the numbers:
Questions worth separating out
Q: How should organisations govern certificate issuance when brand ownership is contested?
A: They should treat certificate issuance as an authorization problem, not just a validation step.
Q: Why do CAA records and certificate transparency need to work together?
A: CAA defines who may issue a certificate, but it only helps if the CA actually checks the record and keeps evidence of the result.
Q: What do security teams get wrong about EV certificates?
A: They often assume EV is mainly about stronger encryption, when the real value lies in identity assurance and brand protection.
Practitioner guidance
- Map EV issuance to identity ownership records Align certificate request approvals with trademark, legal entity, and domain ownership records so a valid form submission cannot override true authority.
- Retain proof of CAA checks Require certificate authorities to preserve CAA lookup results, timeout handling, and issuance decisions so policy compliance can be verified later.
- Monitor certificate transparency logs for duplicate claims Use CT log review to spot certificates issued under similar names, unexpected issuance patterns, or unauthorized certificates tied to your brand.
What's in the full article
DigiCert's full blog covers the operational detail this post intentionally leaves for the source:
- The specific EV issuance checks DigiCert says it uses when duplicate name claims appear
- Its full rationale for why brand protection, not encryption alone, drives its view of EV
- The proposed EV guideline changes around CAA, trademark verification, and certificate transparency
- The dispute-resolution and proof-retention issues the article says still need standardization
👉 Read DigiCert's analysis of EV certificates, brand protection, and CAA policy →
EV certificates and brand protection: what IAM teams should rethink?
Explore further
25/06/2026 11:11 pm
EV certificates expose an identity governance problem, not just a browser trust problem. The article shows that certificate issuance can validate a legal shell while still failing to protect the real controlling entity's brand. That means the control plane is broader than TLS, because name resolution, trademark ownership, and issuance evidence all shape whether identity claims are trustworthy. Practitioners should treat EV as part of identity governance, not as a standalone encryption feature.
A few things that frame the scale:
- 53% of organisations have experienced a security incident directly related to machine identity management failures, according to The Critical Gaps in Machine Identity Management report.
- Only 38% have automated certificate lifecycle management in place, which shows how often lifecycle governance still lags behind identity risk.
A question worth separating out:
Q: Who should own certificate disputes when duplicate names appear?
A: Ownership should sit jointly with security, legal, and DNS or certificate operations, because the issue combines identity proof, brand rights, and infrastructure control. A clear escalation path should define what evidence is required, who can approve a claim, and when issuance must be blocked until resolution is complete.
👉 Read our full editorial: EV certificates still depend on identity proofs browsers can trust
