CA uses the concept of classes for different types of digital certificates, but these classes are not specified in any SSL/TLS RFC. Let's try to understand what different classes mean to SSL end users.
- Class 1: Class 1 certificates are delivered without any prior verification. This is also known as a Domain Validation (DV) certificate and relies on the WHOIS information database (you must prove you own the domain). A DV certificate is a low authentication product which does not guarantee the identity of the website's owner nor the actual existence of the organization. This simply refers to two entities talking over an encrypted channel without knowing each other.
Note: This can be heavily misused by attackers by launching phishing sites. Users assume that the website has a valid certificate issued by a major certificate authority.
Never use low—authentication certificates for web based applications.
- Class 2: For Class 2 certificates, (Medium Security Level) a background check is required which includes looking at the organization, business, or person who owns the domain, and confirming its existence. These are typically called the organization validated certs.
- Class 3: These are client certificates (Extended validation High Security) that are delivered after an audit. They check details of the organization, including verifying the physical address using multiple sources of truth and the certificate's owner.
- Class 4: Class 4 certificates are intended for online business transactions between companies.
- Class 5: Class 5 certificates are intended for private organizations or governmental security.