World Library  
Flag as Inappropriate
Email this Article

Extended Validation Certificate

Article Id: WHEBN0007104097
Reproduction Date:

Title: Extended Validation Certificate  
Author: World Heritage Encyclopedia
Language: English
Subject: Domain-validated certificate, GlobalSign, Certificate Transparency, Public key certificate, Internet Explorer 7
Collection: 2007 Introductions, E-Commerce, Key Management, Public Key Infrastructure, Transport Layer Security
Publisher: World Heritage Encyclopedia
Publication
Date:
 

Extended Validation Certificate

An Extended Validation Certificate in Mozilla Firefox.
An example of a multi-domain, UCC (SAN) EV certificate on https://www.ssl.com (note the Subject Alternative Name (SAN) field). Wildcard names are not allowed in EV Certificates so all names must be explicitly in the certificate and reviewed by the certificate authority.

An Extended Validation Certificate (EV) is an X.509 public key certificate issued according to a specific set of identity verification criteria. These criteria require extensive verification of the requesting entity's identity by the certificate authority (CA) before a certificate is issued. Certificates issued by a CA under the EV guidelines contain a subject with x509 OIDs for jurisdictionOfIncorporationCountryName, businessCategory, and serialNumber, with the serialNumber pointing to the ID at the relevant Secretary of State (US) or national business registrar (outside US), as well as a CA-specific policy identifier so that EV-aware software, such as a web browser, can recognize them. EV certificates use the same encryption as other types of SSL/TLS certificates: the difference is in the validation process as indicated by the policy identifier in the certificate.

EV certificates are mainly presented by web servers to web browsers for use with SSL/TLS connections.

The criteria for issuing EV certificates are defined by the Guidelines for Extended Validation, currently (as of August 11, 2015) at version 1.5.6. The guidelines[1] are produced by the


  • CA/Browser Forum Web site
  • CA/Browser Extended Validation Vetting Process
  • Firefox green padlock for EV certificates

External links

  1. ^ Guidelines for Extended Validation Certificates
  2. ^ CA/Browser Forum Members
  3. ^ http://www.eweek.com/c/a/Security/How-Can-We-Improve-Code-Signing/
  4. ^ William Hendric. "What is an EV SSL certificate?". 
  5. ^ Hagai Bar-El. "The Inevitable Collapse of the Certificate Model". Hagai Bar-El on Security. 
  6. ^ https://cabforum.org/audit-criteria/
  7. ^ "Guidelines For The Issuance And Management Of Extended Validation Certificates, Version 1.5.2" (PDF). CA/Browser Forum. 2014-10-16. p. 10. Retrieved 2014-12-15. Wildcard certificates are not allowed for EV Certificates. 
  8. ^ "What browsers support Extended Validation (EV) and display an EV indicator?".  
  9. ^ "VASCO Announces Bankruptcy Filing by DigiNotar B.V." (Press release).  
  10. ^ Evers, Joris (February 2, 2007). "IE 7 gives secure Web sites the green light".  
  11. ^ a b Richmond, Riva (December 19, 2006). "Software to Spot 'Phishers' Irks Small Concerns".  
  12. ^ Jackson, Collin; Daniel R. Simon; Desney S. Tan; Adam Barth. "An Evaluation of Extended Validation and Picture-in-Picture Phishing Attacks" (PDF). Usable Security 2007. 
  13. ^ "Common Questions About Extended Validation EV SSL". DigiCert, Inc. Retrieved 15 May 2013. 
  14. ^  

References

See also

The introduction ... of so-called high-assurance or extended validation (EV) certificates that allow CAs to charge more for them than standard ones, is simply a case of rounding up twice the usual number of suspects - presumably somebody’s going to be impressed by it, but the effect on phishing is minimal since it’s not fixing any problem that the phishers are exploiting. Indeed, cynics would say that this was exactly the problem that certificates and CAs were supposed to solve in the first place, and that “high-assurance” certificates are just a way of charging a second time for an existing service. A few years ago certificates still cost several hundred dollars, but now that the shifting baseline of certificate prices and quality has moved to the point where you can get them for $9.95 (or even for nothing at all) the big commercial CAs have had to reinvent themselves by defining a new standard and convincing the market to go back to the prices paid in the good old days. This deja-vu-all-over-again approach can be seen by examining Verisign’s certificate practice statement (CPS), the document that governs its certificate issuance. The security requirements in the EV-certificate 2008 CPS are (except for minor differences in the legalese used to express them) practically identical to the requirements for Class 3 certificates listed in Verisign’s version 1.0 CPS from 1996. EV certificates simply roll back the clock to the approach that had already failed the first time it was tried in 1996, resetting the shifting baseline and charging 1996 prices as a side-effect. There have even been proposals for a kind of sliding-window approach to certificate value in which, as the inevitable race to the bottom cheapens the effective value of established classes of certificates, they’re regarded as less and less effective by the software that uses them...[14]

While proponents of EV Certificates claim they help against phishing attacks,[13] security expert Peter Gutmann states the new class of certificates restore a CA's profits which were eroded due to the race to the bottom that occurred among issuers in the industry. Gutmann calls this phenomenon "PKI-Me-Harder".

PKI-Me-Harder

In 2006, researchers at Stanford University and Microsoft Research conducted a usability study[12] of the EV display in Internet Explorer 7. Their paper concluded that "participants who received no training in browser security features did not notice the extended validation indicator and did not outperform the control group", whereas "participants who were asked to read the Internet Explorer help file were more likely to classify both real and fake sites as legitimate".

Effectiveness against phishing attacks

Since EV certificates are being promoted and reported[10] as a mark of a trustworthy website, some small business owners have voiced concerns[11] that EV certificates give undue advantage to large businesses. The published drafts of the EV Guidelines excluded unincorporated business entities, and early media reports[11] focused on that issue. Version 1.0 of the EV Guidelines was revised to embrace unincorporated associations as long as they were registered with a recognized agency, greatly expanding the number of organizations that qualified for an Extended Validation Certificate.

Availability to small businesses

Criticism

The criteria for issuing Extended Validation certificates do not require issuing Certificate Authorities to immediately support Online Certificate Status Protocol for revocation checking. However, the requirement for a timely response to revocation checks by the browser has prompted most Certificate Authorities that had not previously done so to implement OCSP support. Section 26-A of the issuing criteria requires CAs to support OCSP checking for all certificates issued after Dec. 31, 2010.

Online Certificate Status Protocol

* "XRamp Security Services, Inc.", successor to SecureTrust corporation a wholly owned subsidiary of Trustwave Holdings,Inc. ("Trustwave")

Issuer OID Certification Practice Statement
Actalis 1.3.159.1.17.1 Actalis CPS v2.3,
AffirmTrust 1.3.6.1.4.1.34697.2.1
1.3.6.1.4.1.34697.2.2
1.3.6.1.4.1.34697.2.3
1.3.6.1.4.1.34697.2.4
AffirmTrust CPS v1.1, p. 4
A-Trust 1.2.40.0.17.1.22 a.sign SSL EV CPS v1.3.4
Buypass 2.16.578.1.26.1.3.3 Buypass Class 3 EV CPS, p. 10
Camerfirma 1.3.6.1.4.1.17326.10.14.2.1.2
1.3.6.1.4.1.17326.10.8.12.1.2
Camerfirma CPS v3.2.3
Comodo Group 1.3.6.1.4.1.6449.1.2.1.5.1 Comodo EV CPS, p. 28
DigiCert 2.16.840.1.114412.2.1
2.16.840.1.114412.1.3.0.2
DigiCert EV CPS v. 1.0.3, p. 56
DigiNotar (defunct[9]) 2.16.528.1.1001.1.1.1.12.6.1.1.1 DigiNotar CPS v 3.5, p. 2
E-Tugra 2.16.792.3.0.4.1.1.4 E-Tugra Certification Practice Statement (CPS), p. 2
Entrust 2.16.840.1.114028.10.1.2 Entrust EV CPS, p. 37
ETSI 0.4.0.2042.1.4
0.4.0.2042.1.5
ETSI TS 102 042 V2.4.1, p. 18
Firmaprofesional 1.3.6.1.4.1.13177.10.1.3.10 SSL SECURE WEB SERVER CERTIFICATES, p. 6
GeoTrust 1.3.6.1.4.1.14370.1.6 GeoTrust EV CPS v. 2.6, p. 28
GlobalSign 1.3.6.1.4.1.4146.1.1 GlobalSign EV CPS v. 6.5, p. 24
Go Daddy 2.16.840.1.114413.1.7.23.3 Go Daddy EV CPS v. 2.0, p. 42
Izenpe 1.3.6.1.4.1.14777.6.1.1 DOCUMENTACIÓN ESPECÍFICA PARA CERTIFICADOS DEL TIPO: SERVIDOR SEGURO SSL, SERVIDOR SEGURO EVV, SEDE ELECTRÓNICA Y SEDE ELECTRÓNICA EV,
Kamu Sertifikasyon Merkezi 2.16.792.1.2.1.1.5.7.1.9 TÜBİTAK BİLGEM Kamu Sertifikasyon Merkezi SSL Sİ/SUE
Keynectis 1.3.6.1.4.1.22234.2.5.2.3.1 KEYNECTIS EV CA CPS v 0.3, p. 10
Network Solutions 1.3.6.1.4.1.782.1.2.1.8.1 Network Solutions EV CPS v. 1.1, 2.4.1
QuoVadis 1.3.6.1.4.1.8024.0.2.100.1.2 QuoVadis Root CA2 CP/CPS, p. 34
SECOM Trust Systems 1.2.392.200091.100.721.1 SECOM Trust Systems EV CPS (in Japanese), p. 2
Starfield Technologies 2.16.840.1.114414.1.7.23.3 Starfield EV CPS v. 2.0, p. 42
StartCom Certification Authority 1.3.6.1.4.1.23223.2
1.3.6.1.4.1.23223.1.1.1
StartCom CPS, no. 4
Swisscom 2.16.756.1.83.21.0 Swisscom Root EV CA 2 CPS (in German), p. 62
SwissSign 2.16.756.1.89.1.2.1.1 SwissSign Gold CA-G2 CP/CPS, p. 7
Thawte 2.16.840.1.113733.1.7.48.1 Thawte EV CPS v. 3.3, p. 95
Trustwave* 2.16.840.1.114404.1.1.2.4.1 SecureTrust EV CPS v1.1.1, p. 5
VeriSign 2.16.840.1.113733.1.7.23.6 VeriSign EV CPS v. 3.3, p. 87
Verizon Business (formerly Cybertrust) 1.3.6.1.4.1.6334.1.100.1 Cybertrust CPS v.5.2, p. 20
Wells Fargo 2.16.840.1.114171.500.9 WellsSecure PKI CPS v. 12.1.2, p. 14
WoSign 1.3.6.1.4.1.36305.2 WoSign CPS V1.2.4, p. 21

EV certificates are standard x.509 digital certificates. The primary way to identify an EV certificate is by referencing the Certificate Policies extension field. Each issuer uses a different object identifier (OID) in this field to identify their EV certificates, and each OID is documented in the issuer's Certification Practice Statement. As with root certificate authorities in general, browsers may not recognize all issuers.

Extended Validation certificate identification

Apache + mod_ssl Lotus Domino Go 4.6.2.6 and higher
Apache + Raven Lotus Domino 4.6 and higher
Apache + Raven 1.5x Microsoft Internet Information Server 4.0
Apache + SSLeay Microsoft Internet Information Server 5.0
BEA WebLogic Netscape Enterprise/Fast Track
C2Net Stronghold O'Reilly WebSite Professional 2.X
Cobalt RaQ3/RaQ4 "Main Site" Stronghold 3
Cobalt RaQ3 "Virtual Site" WebSTAR 4
Cobalt RaQ4 "Virtual Site" WebSTAR V
IBM HTTP Zeus Web Server v3
iPlanet Enterprise Server 4.1  

Extended Validation supports all current releases of web servers supporting SSL v.3 or TLS. Supported servers include:

Web server support

  • Safari for iOS (iPhone 3GS and later)
  • Windows Phone
  • Blackberry

Supported Mobile Device Browsers

Most of the Extended Validation Certificates are compatible with the following browsers:[8]

Compatibility

  • The name of the company or entity that owns the certificate.
  • The name of the certificate authority (CA) that issued the EV certificate.
  • A distinctive color, usually green, shown in the address bar to indicate that a valid EV certificate was received.

The Extended Validation guidelines require participating certificate authorities to assign a specific EV identifier, which is registered with the browser vendors who support EV once the certificate authority has completed an independent audit and met other criteria. The browser matches the EV identifier in the certificate with the one it has registered for the CA in question: if they match, and the certificate is verified as current, the certificate receives the enhanced EV display in the browser's user interface. In most implementations, the enhanced display includes:

Browsers with EV support display the validated identity - usually a combination of organization name and jurisdiction - contained in the EV certificate's 'subject' field. Microsoft Internet Explorer 7, Mozilla Firefox 3, Safari 3.2, Opera 9.5, and Google Chrome all provide EV support.

User interface

It is not possible to get a wildcard Extended Validation Certificate - instead, all fully qualified domain names must be included in the certificate and inspected by the Certificate Authority [7]

  • Establish the legal identity as well as the operational and physical presence of website owner;
  • Establish that the applicant is the domain name owner or has exclusive control over the domain name; and
  • Confirm the identity and authority of the individuals acting for the website owner, and that documents pertaining to legal obligations are signed by an authorised officer.

Only CAs who pass an independent qualified audit review, WebTrust (or equivalent),[6] may offer EV, and all CAs globally must follow the same detailed issuance requirements which aim to:

Issuing criteria

That said, there is still the concern that the same lack of accountability that led to the loss of public confidence in domain validated certificates will lead to lax certification practices that will erode the value of EV certificates as well.[5]

By establishing stricter issuing criteria and requiring consistent application of those criteria by all participating CAs, EV certificates are intended to restore confidence among users that a website operator is a legally established business or organization with a verifiable identity.[4]

EV certificates are validated against both the Baseline Requirements and the Extended Validation requirements, which place additional requirements on how authorities vet companies. These include manual checks of all the domain names requested by the applicant, checks against official government sources, checks against independent information sources, and phone calls to the company to confirm the position of the applicant. If the certificate is accepted, the government-registered serial number of the business and well as the physical address are stored in the EV certificate.

Most browsers' user interfaces did not clearly differentiate between low-validation certificates and those that have undergone more rigorous vetting. Since any successful SSL/TLS connection causes the padlock icon to appear, users are not likely to be aware of whether the website owner has been validated or not. As a result, fraudsters (including phishing websites) use TLS to add perceived credibility to their websites. Modern browser users can always check the identity of certificate owners by examining the details of the issued certificate which always indicates the certificate owner information such as the name of the organization and its location.

However, commercial pressures have led some CAs to introduce "domain validation only" certificates. Domain validated certificates existed before validation standards, and generally only require some proof of domain control. In particular, Domain validated certificates do not assert that a given legal entity has any relationship with the domain, although the domain may resemble a particular legal entity.

An important motivation for using digital certificates with SSL/TLS was to add trust to online transactions by requiring website operators to undergo vetting with a certificate authority (CA) in order to get a certificate.

Motivation

In 2005 CA/Browser Forum, hoping to improve standards for issuing SSL/TLS certificates.[3] On June 12, 2007, the CA/Browser Forum officially ratified the first version of the Extended Validation (EV) SSL Guidelines, which took effect immediately. The formal approval successfully brought to a close more than two years of effort, and provided the infrastructure for trusted Web site identity on the Internet. Then, in April 2008, the Forum announced version 1.1 of the Guidelines, building on the practical experience of its member CAs and Relying-Party Application Software Suppliers gained in the months since the first version was approved for use.

History

Contents

  • History 1
  • Motivation 2
  • Issuing criteria 3
  • User interface 4
  • Compatibility 5
    • Supported Mobile Device Browsers 5.1
    • Web server support 5.2
  • Extended Validation certificate identification 6
  • Online Certificate Status Protocol 7
  • Criticism 8
    • Availability to small businesses 8.1
    • Effectiveness against phishing attacks 8.2
    • PKI-Me-Harder 8.3
  • See also 9
  • References 10
  • External links 11

[2]

This article was sourced from Creative Commons Attribution-ShareAlike License; additional terms may apply. World Heritage Encyclopedia content is assembled from numerous content providers, Open Access Publishing, and in compliance with The Fair Access to Science and Technology Research Act (FASTR), Wikimedia Foundation, Inc., Public Library of Science, The Encyclopedia of Life, Open Book Publishers (OBP), PubMed, U.S. National Library of Medicine, National Center for Biotechnology Information, U.S. National Library of Medicine, National Institutes of Health (NIH), U.S. Department of Health & Human Services, and USA.gov, which sources content from all federal, state, local, tribal, and territorial government publication portals (.gov, .mil, .edu). Funding for USA.gov and content contributors is made possible from the U.S. Congress, E-Government Act of 2002.
 
Crowd sourced content that is contributed to World Heritage Encyclopedia is peer reviewed and edited by our editorial staff to ensure quality scholarly research articles.
 
By using this site, you agree to the Terms of Use and Privacy Policy. World Heritage Encyclopedia™ is a registered trademark of the World Public Library Association, a non-profit organization.
 


Copyright © World Library Foundation. All rights reserved. eBooks from Project Gutenberg are sponsored by the World Library Foundation,
a 501c(4) Member's Support Non-Profit Organization, and is NOT affiliated with any governmental agency or department.