-
Enhancement
-
Resolution: Won't Fix
-
P3
-
None
-
6
-
None
-
x86
-
windows_nt
Extended Validation Certificates (EV) are a special type of X.509 certificate which require more extensive investigation of the requesting entity by the Certificate Authority before being issued.
An important motivation for using digital certificates with SSL was to add trust to online transactions by requiring website operators to undergo vetting with a certificate authority (CA) in order to get an SSL certificate. However, commercial pressures have led some CAs to introduce "domain validation only" SSL certificates for which minimal verification is performed of the details in the certificate.
Most browsers' user interfaces do not clearly differentiate between low-validation certificates and those that have undergone more rigorous vetting. Since any successful SSL connection causes the padlock icon to appear, users are not likely to be aware of whether the website owner has been validated or not. As a result, fraudsters (including phishing websites) have started to use SSL to add credibility to their websites.
By establishing stricter issuing criteria and requiring consistent application of those criteria by all participating CA's, EV SSL certificates are intended to restore confidence among users that a website operator is a legally established business with a public real-world presence.
Browsers with EV support will display more information for EV certificates than for previous SSL certificates. Microsoft's Internet Explorer 7 is the first browser to be EV-ready. VeriSign has issued a controversial [3] add-on for Mozilla's Firefox browser to provide EV support for certificates issued by its CAs only. When they receive an EV certificate:
* The address bar will turn green.
* A special label will appear that periodically alternates between the name/summarised address of the website owner, and the CA that issued their certificate.
Our Java plugin (Java webstart) should support EV certificate in the future release.
There are two new features that we could consider supporting. The first one is to recognize EV certs and display the subject's name in a different way to non-EV certs. The EV cert provides assurance that the subject really is who they claim to be.
Given this assurance, the second feature is to implicitly trust code signed by certain EV certs. This would eliminate the need for some of the security dialogs. Of course, this second feature would be disabled by default. It could also include a user-extensible set of EV certs.
An important motivation for using digital certificates with SSL was to add trust to online transactions by requiring website operators to undergo vetting with a certificate authority (CA) in order to get an SSL certificate. However, commercial pressures have led some CAs to introduce "domain validation only" SSL certificates for which minimal verification is performed of the details in the certificate.
Most browsers' user interfaces do not clearly differentiate between low-validation certificates and those that have undergone more rigorous vetting. Since any successful SSL connection causes the padlock icon to appear, users are not likely to be aware of whether the website owner has been validated or not. As a result, fraudsters (including phishing websites) have started to use SSL to add credibility to their websites.
By establishing stricter issuing criteria and requiring consistent application of those criteria by all participating CA's, EV SSL certificates are intended to restore confidence among users that a website operator is a legally established business with a public real-world presence.
Browsers with EV support will display more information for EV certificates than for previous SSL certificates. Microsoft's Internet Explorer 7 is the first browser to be EV-ready. VeriSign has issued a controversial [3] add-on for Mozilla's Firefox browser to provide EV support for certificates issued by its CAs only. When they receive an EV certificate:
* The address bar will turn green.
* A special label will appear that periodically alternates between the name/summarised address of the website owner, and the CA that issued their certificate.
Our Java plugin (Java webstart) should support EV certificate in the future release.
There are two new features that we could consider supporting. The first one is to recognize EV certs and display the subject's name in a different way to non-EV certs. The EV cert provides assurance that the subject really is who they claim to be.
Given this assurance, the second feature is to implicitly trust code signed by certain EV certs. This would eliminate the need for some of the security dialogs. Of course, this second feature would be disabled by default. It could also include a user-extensible set of EV certs.