DV = Domain Validation - all that's validated by the certificate authority (CA) is that the person getting the certificate controls the domain

OV = Organisation Validation - the CA also checks that the person getting the certificate is the organisation they claim to be (the cert will contain, for example, a company name or number)

EV = Extended Validation - the CA does additional checks for authenticity and trustworthiness

Typically, sites with EV certificates have the address bar show up green, and the organisation name is visible in it. EV is mostly only used for stuff like online banking. Less important things like Facebook, YouTube and your blog will use cheaper and easier to get DV or OV certificates. Let's Encrypt! gives you a DV certificate since domain ownership is the sole thing it can and does validate.

This is a perfect explanation. As a followup to @daok's feedback, I've amended the article to expand EV & provide a link!

Somewhere I read that EV certs (green bar) are slower because of an additional round trip or so. If it is the case, can someone point me to an article that explains this?

Browsers actually validate the certificate through CRL / OCSP for EV sites, if I recall correctly.

That takes time and adds latency and there are differences between CA's in OCSP server performance. Your location can obviously impact performance too. If you're performance conscious you might want to take this into account.

This is actually something people don't consider when they say certificates should be free - running these CRL / OCSP servers costs money.

https://www.imperialviolet.org/2012/02/05/crlsets.html

Netcraft does OCSP responder performance analytics: http://uptime.netcraft.com/perf/reports/performance/OCSP

Would I be right in thinking OCSP stapling would avoid the extra trip in this instance?

Yes. It's meant to lessen the load on the OCSP responders and improve performance. The server will periodically fetch the OCSP response and serve it to clients so not every client needs to do it themselves.

EV certificates require OCSP: Section 26-A of the issuing criteria requires CAs to support OCSP checking for all certificates issued after Dec. 31, 2010.

However as the other poster notes, OCSP stapling includes recent proof that the cert hasn't been revoked the initial handshake, removing additional round trips. See https://en.wikipedia.org/wiki/OCSP_stapling

I should add: OCSP is the baseline requirements, ie. DV SSL certs will also need to support OCSP checking. See https://cabforum.org/wp-content/uploads/Baseline_Requirement...

It's the main product this company is selling.

EV is a standard for identity verification, rather than a product.

Our product is 40-100x faster validation for EV. If you think DV is fine for your app, that's awesome. But if you're thinking about getting an EV cert, we do in an average of 5 hours what others do in 7-10 days.

Yeah I have no clue what that is.

Extended Validation. Usually implies the certificate authority has gone through extra steps to verify the identity of the domain owner.

The green bar certs that nobody in the world ever looks for.