Extended Validation Certificate

Extended Validation Certificates (EV) [ The term validation as used here should not be confused with the Certification path validation algorithm commonly found in a certificate context.] are a special type of X.509 certificate which require more extensive investigation of the requesting entity [A requesting entity is the organization, company, government department or other person that is applying for a certificate.] by the Certificate Authority before being issued.

The criteria for issuing EV certificates are defined by the [http://cabforum.org/EV_Certificate_Guidelines_V11.pdf Guidelines for Extended Validation Certificates] , currently at version 1.1.The guidelines are produced by the [http://www.cabforum.org/ CA/Browser Forum] , a voluntary organization whose [http://cabforum.org/forum.html members] include leading CAs and vendors of Internet software, as well as representatives from the legal and audit professions.

Motivation

An important motivation for using digital certificates with SSL was to add trust to online transactions by requiring website operators to undergo vetting with a certificate authority (CA) in order to get an SSL certificate. However, commercial pressures have led some CAs to introduce "domain validation only" SSL certificates for which minimal verification is performed of the details in the certificate.

Most browsers' user interfaces did not clearly differentiate between low-validation certificates and those that have undergone more rigorous vetting. Since any successful SSL connection causes the padlock icon to appear, users are not likely to be aware of whether the website owner has been validated or not. As a result, fraudsters (including phishing websites) have started to use SSL to add credibility to their websites.

By establishing stricter issuing criteria and requiring consistent application of those criteria by all participating CAs, EV SSL certificates are intended to restore confidence among users that a website operator is a legally established business or organization with a verifiable identity.

Issuing criteria

Only CAs who pass an independent audit as part of their WebTrust (or equivalent) review may offer EV, and all CAs globally must follow the same detailed issuance requirements which aim to:

* Establish the legal identity as well as the operational and physical presence of website owner;
* Establish that the applicant is the domain name owner or has exclusive control over the domain name; and
* Confirm the identity and authority of the individuals acting for the website owner, and that documents pertaining to legal obligations are signed by an authorised officer.

User interface

Browsers with EV support display more information for EV certificates than for previous SSL certificates. Microsoft's Internet Explorer 7 was the first browser to be EV-ready. Firefox 3, Opera 9.5, and Google Chrome all provide EV support. Apple has not announced any intent to distinguish EV certificates in the Safari user interface.

The Extended Validation (EV) guidelines require participating Certificate Authorities to assign a specific EV identifier, which is registered with the browser vendors who support EV once the Certificate Authority has completed an [http://cabforum.org/WebTrustAuditGuidelines.pdf independent audit] and met other criteria. The browser matches the EV identifier in the SSL certificate with the one it has registered for the CA in question: if they match, and the certificate is verified as current, the SSL certificate receives the enhanced EV display in the browser's user interface.

Extended Validation certificate identification

EV certificates are standard x.509 digital certificates. The primary way to identify an EV certificate is by referencing the Certificate Policies extension field. Each issuer uses a different object identifier (OID) in this field to identify their EV certificates, and each OID is documented in the issuer's Certification Practice Statement.

"*" "XRamp Security Services, Inc.", successor to SecureTrust corporation a wholly owned subsidiary of Trustwave Holdings,Inc. ("Trustwave")

Online Certificate Status Protocol

The criteria for issuing Extended Validation certificates do not require issuing Certificate Authorities to immediately support Online Certificate Status Protocol for revocation checking. However, the requirement for a timely response to revocation checks by the browser has prompted most Certificate Authorities that had not previously done so to implement OCSP support. Section 26-A of the issuing criteria requires CAs to support OCSP checking for all certificates issued after Dec. 31, 2010.

Surrounding issues

Availability to small businesses

Since EV certificates are being promoted ["in IE 7 ... if a website has an Entrust EV SSL Certificate installed, the address bar color will change to green and toggle between the identity of the site and the name of the certificate authority to let the consumer know they can shop with confidence."cite web
publisher = Entrust
title = EV SSL Certificate FAQ
url = http://www.entrust.net/ssl-technical/ev_faq.htm
accessdate = 2007-02-05 ] and reported ["The colored address bar, a new weapon in the fight against phishing scams, is meant as a sign that a site can be trusted, giving Web surfers the green light to carry out transactions there."cite web
publisher = CNet
title = IE 7 gives secure Web sites the green light
url = http://news.com.com/IE+7+gives+secure+Web+sites+the+green+light/2100-1029_3-6155826.html
accessdate = 2007-02-05 ] as a mark of a trustworthy website, some small business owners have voiced concernscite news
last = Richmond
first = Riva
title = Software to Spot 'Phishers' Irks Small Concerns
publisher = Wall Street Journal
date = December 19, 2006
url = http://online.wsj.com/public/article/SB116649577602354120-5U4Afb0JPeyiOy1H_j3fVTUmfG8_20071218.html?mod=rss_free
accessdate=2008-06-20] that EV certificates give undue advantage to large businesses.

The [http://cabforum.org/EV_Certificate_Guidelines_-_Draft_10-2...pdf published drafts] of the EV Guidelines excluded unincorporated business entities, and early media reports focused on that issue. [http://cabforum.org/EV_Certificate_Guidelines.pdf Version 1.0] of the EV Guidelines was revised to embrace unincorporated associations as long as they were registered with a recognized agency, greatly expanding the number of organizations that qualified for an Extended Validation Certificate.

Early media reports also focused on the higher price of EV certificates, typically pointing to VeriSign's pricing. While the higher validation costs inherent in following the EV Guidelines do engender higher prices relative to other SSL certificate products, a number of CAs have been promoting EV prices below $500.

Evolving understanding of Extended Validation's effect on phishing

In 2006, Stanford University students conducted a usability study [cite conference
first = Collin
last = Jackson
coauthors = Daniel R. Simon, Desney S. Tan, Adam Barth
title = An Evaluation of Extended Validation and Picture-in-Picture Phishing Attacks
booktitle = Usable Security 2007
url = http://www.usablesecurity.org/papers/jackson.pdf] of the EV display in Internet Explorer 7. The study attempted to measure users' ability to distinguish real sites from fraudulent sites when presented with various kinds of phishing attacks. Due to the small size of the study's sample base (nine test subjects per cell) the margin for error of each result was several times the actual measurement, and therefore no useful conclusion was possible. However, this study led the way for other researchers to present results of a statistically significant nature. In January 2007, usability research firm Tec-Ed published its results of running 384 North American test subjects through purchasing simulations on sites with and without green address bars. Tec-Ed concluded that latent understanding of green address bars was very high, with 93% of test subjects recognizing a site with a green address bar as a safer shopping experience than one without. With regard to Extended Validation's defense against phishing, the Tec-Ed research reveals that when a site adopts green address bars, then 77% of users visiting what appears to be the same site but without the green address bar will decline to complete the transaction. [cite web
last = Tec-Ed Inc.
title = Extended Validation and VeriSign Brand
url = http://www.verisign.com/static/040655.pdf
accessdate = 2008-08-28]

See also

* Transport Layer Security (TLS)

Footnotes

References

* [http://www.cabforum.org/ CA/Browser Forum Web site]
* [http://cabforum.org/EV_Certificate_Guidelines.pdf CA/Browser Extended Validation Guidelines]
* [http://www.microsoft.com/windows/products/winfamily/ie/ev/default.mspx Microsoft information on EV in IE7]
* [http://support.microsoft.com/kb/931125 CAs approved for EV in Microsoft IE7]