I have yet to find a CA that doesn\'t require personal information for DV certif
ID: 658854 • Letter: I
Question
I have yet to find a CA that doesn't require personal information for DV certificates. Is this because all of the major browsers and operating systems have a policy to reject CAs that don't require personal information? Or is there some other reason for the lack of privacy-friendly CAs?
I'd like to replace my personal web server's self-signed SSL certificate with a certificate signed by a well-trusted certificate authority. I understand that some use cases require thorough identity investigations, but I only need a basic domain validation (DV) certificate. I don't want to share personal details that are irrelevant to providing end-to-end encryption for personal use (e.g., my home address and phone number).
I'm not looking for a CA that blindly trusts a claim of ownership of a domain
Explanation / Answer
The short answer is no, the Evidence of Identity (EOI) isn't mandatory, or forced upon them by governments (as least as far as I know) or Internet standards.
However consider that the CAs product is trust. People trust a CA to only issue certificates to the legal owners of trusted sites. EOI forms part of the chain of trust. A CA may be able to redesign certificate issuance processes to meet your particular needs, but the truth is that most people that require SSL certs don't care, especially as the owner is already identified in the whois record.
Incidentally the relevant standard here is RFC 3647, which covers Certificate Policy and the Certificate Practice Statement. While this RFC contains plenty of detail about the contents of these policies and supporting documents, it does not proscribe minimum levels of identification in the issuance process.