CertScoreOpen Letter to EC-Council: Request for Programmatic Credential Verification API
From: V2C Inc (501(c)(3) Nonprofit), Rajat Ravinder Varuni, Founder
To: EC-Council, Engineering & Partnerships Team
Date: February 17, 2026
Re: Request for Email Hash Verification API or Open Badges Compliance for ASPEN
Dear EC-Council Engineering and Partnerships Team,
I am writing on behalf of V2C Inc, a 501(c)(3) nonprofit organization, regarding our platform CertScore (certscore.org), a professional credential verification and ranking platform that integrates with major certification providers to help professionals showcase and prove their expertise.
The Issue
CertScore currently integrates with Credly, Accredible, and EC-Council ASPEN for credential verification. We have identified a significant gap in EC-Council's ASPEN verification system that directly disadvantages EC-Council credential holders compared to holders of certifications from other providers.
The core problem: EC-Council's ASPEN system provides no mechanism for a credential holder to programmatically prove ownership of their certification to a third-party platform.
As a result, CertScore is forced to classify all EC-Council credentials (CEH, CCISO, CND, ECSA, CHFI, CPENT, LPT, CSCU, etc.) as "self-reported," a lower trust tier that awards zero points toward a user's CertScore ranking. Meanwhile, credentials from Credly and Accredible achieve "verified" status with full points, because those providers offer email hash verification that complies with the Open Badges specification.
This means an EC-Council Certified Ethical Hacker (CEH), one of the most respected certifications in cybersecurity, carries less trust weight on our platform than a Credly-issued badge, purely because of this technical limitation.
What Other Providers Do
Credly (Industry Standard)
Credly badges include an OBI (Open Badges Infrastructure) assertion that contains a SHA-256 hash of the recipient's email address. When a user claims a badge on CertScore:
- We fetch the OBI assertion JSON from the badge URL
- We retrieve the
recipient.identityfield, which contains a salted SHA-256 hash - We hash the user's authenticated email using the same algorithm and salt from the assertion
- If the hashes match, the credential is cryptographically verified as belonging to that user
This follows the W3C Open Badges 2.0 specification (maintained by 1EdTech/IMS Global). The email is never exposed. Only an irreversible hash is transmitted.
Accredible
Accredible similarly supports OBI assertions with email hashes on credentials hosted at credential.net. Credentials issued with OBI compliance can be verified using the same SHA-256 hash comparison method.
What EC-Council ASPEN Currently Provides
We have conducted a thorough technical audit of EC-Council's ASPEN platform. Here is what we found:
ASPEN Verification Page
The verification page at aspen.eccouncil.org/verify provides a lookup form accepting two fields: Candidate Name and Certification Number. The form returns a server-rendered HTML page displaying the holder name, certification name and number, issue and expiry dates, and a "Verified" status label. There is no structured data, no JSON output, and no machine-readable response.
Capability Comparison
| Capability | Credly | Accredible | EC-Council ASPEN |
|---|---|---|---|
| JSON API endpoint | Yes | Yes | No |
| OBI/Open Badges assertion | Yes (v2.0) | Yes (v2.0) | No |
| SHA-256 email hash | Yes | Yes | No |
| Hosted verification (machine-readable) | Yes | Yes | No (HTML only) |
| Signed badge (JWS) | Yes | Optional | No |
| Recipient identifier beyond name | Yes (hashed email) | Yes (hashed email) | No |
The Consequence: HTML Scraping
Because ASPEN exposes only server-rendered HTML with no structured data output, CertScore is forced to fetch the raw HTML, parse the DOM, extract text from HTML elements, and perform a fuzzy name match. This approach is fragile (any HTML change breaks it), unverifiable (name matching cannot prove ownership), and unfair to EC-Council holders who receive zero points while equivalent credentials from other providers receive 50 to 150 points.
CertScore Verification Status Breakdown
Email hash match via OBI assertion. Cryptographic proof of ownership.
Name match only, no cryptographic proof. All EC-Council credentials are locked here.
Identity mismatch. The name on the credential does not match the user's profile.
EC-Council Certification Scoring Impact
| Certification | Tier | Points (if verified) | Points (current) |
|---|---|---|---|
| CEH (Certified Ethical Hacker) | Professional | 100 | 0 |
| CCISO (Chief Information Security Officer) | Professional | 100 | 0 |
| CHFI (Computer Hacking Forensic Investigator) | Professional | 100 | 0 |
| CPENT (Certified Penetration Testing Professional) | Professional | 100 | 0 |
| LPT (Licensed Penetration Tester) | Expert | 150 | 0 |
| CND (Certified Network Defender) | Professional | 100 | 0 |
| ECSA (EC-Council Certified Security Analyst) | Professional | 100 | 0 |
| CSCU (Certified Secure Computer User) | Associate | 50 | 0 |
What We Are Requesting
We respectfully request that EC-Council implement one or more of the following, listed in order of implementation simplicity:
Option A: Email Hash Endpoint (Recommended, Minimal Effort)
Add a single JSON endpoint that returns a SHA-256 hash of the credential holder's registered email address, salted with a consistent value. This does not expose the holder's email. Only an irreversible, one-way hash is returned. A third-party platform can only verify a match if the user has already provided the correct email through their own authentication.
Estimated effort: 1 API endpoint, 1 database query, 1 SHA-256 hash operation. Could be built in a single sprint.
Option B: Full Open Badges 2.0 / 3.0 Compliance
Adopt the W3C Open Badges specification for all ASPEN-issued credentials. This is the industry standard already used by Credly, Accredible, Badgr, Canvas Credentials, and hundreds of other providers. It would enable interoperability with any Open Badges-compatible platform globally, not just CertScore.
Option C: OAuth Verification Flow
Allow credential holders to authorize third-party platforms via OAuth 2.0. The holder logs into their EC-Council account and grants read access to their certifications. More complex but provides the strongest verification and best user experience.
Option D: Verification Code System
Issue a unique, time-limited verification code to each credential holder via their registered email. The holder enters this code on CertScore, and we validate it against EC-Council's system. This requires no persistent API, just a code generation endpoint and a validation endpoint.
The Impact
EC-Council certifications are among the most prestigious in cybersecurity. The CEH alone is held by over 250,000 professionals worldwide. By not providing a verification API, EC-Council is inadvertently:
- Reducing trust in EC-Council credentials on third-party platforms. Any platform that integrates with both Credly and EC-Council will face the same verification gap.
- Disadvantaging EC-Council holders. A professional with both a CEH and a Credly-issued AWS Security Specialty will see their AWS cert verified and scored, while their CEH sits at zero points.
- Limiting discoverability. On CertScore's leaderboard, self-reported credentials rank lower. EC-Council holders are structurally penalized through no fault of their own.
- Falling behind industry standards. The Open Badges specification (now in version 3.0) has been adopted by major providers, universities, and government agencies. EC-Council's absence is increasingly notable.
We have published a full transparency page explaining our verification methodology at certscore.org/transparency.
About CertScore and V2C
- CertScore (certscore.org) is a free, open platform for professionals to verify, showcase, and rank their professional certifications
- V2C Inc (v2c.org) is a 501(c)(3) nonprofit organization focused on workforce development and technology accessibility
- We have no commercial interest in favoring any provider. Our goal is accurate, fair verification for all credentials
- Our verification infrastructure is monitored 24/7, instrumented with error tracking, and operates on Supabase + Cloudflare
Next Steps
We would welcome the opportunity to discuss this further with EC-Council's engineering or partnerships team. We are prepared to:
- Provide detailed technical specifications for any of the above options
- Share our Open Badges integration code as a reference implementation
- Assist with Open Badges 2.0/3.0 implementation guidance
- Test and validate any API endpoint in a staging environment before production rollout
- Collaborate on a pilot program for CertScore + EC-Council integration
- Co-author a joint announcement if EC-Council achieves Open Badges compliance
Please reach out to us at [email protected].
Thank you for your time and consideration. EC-Council certifications deserve the same level of trust and verifiability that the industry's other leading providers already offer.
V2C Inc is a 501(c)(3) tax-exempt nonprofit organization (EIN: 33-3915449). CertScore is a V2C project.