W3C home > Mailing lists > Public > public-wsc-wg@w3.org > January 2007

A new SSL certificate is on the way (Extended Validation SSL)

From: Mary Ellen Zurko <Mary_Ellen_Zurko@notesdev.ibm.com>
Date: Sun, 14 Jan 2007 10:58:51 -0500
To: public-wsc-wg@w3.org
Message-ID: <OF0F9EFA3F.E1D25500-ON85257262.00787618-85257263.0057CA00@LocalDomain>
Phil will be demoing EV at our f2f. 

Mary Ellen Zurko, STSM, IBM Lotus CTO Office       (t/l 333-6389)
Lotus/WPLC Security Strategy and Patent Innovation Architect

----- Forwarded by Mary Ellen Zurko/Westford/IBM on 01/13/2007 04:55 PM 

Timothy Hahn/Durham/IBM@IBMUS 
01/09/2007 08:13 AM

Mary Ellen Zurko/Westford/IBM@Iris@IBMUS

A new SSL certificate is on the way (Extended Validation SSL)

Internet: hahnt@us.ibm.com
Internal: Timothy Hahn/Durham/IBM@IBMUS
phone: 919.224.1565     tie-line: 8/687.1565
fax: 919.224.2530

----- Forwarded by Timothy Hahn/Durham/IBM on 01/09/07 08:11 AM -----


A new SSL certificate is on the way
Technology Update  By Tim Callan, Network World, 01/04/07 
Web-based businesses face a crisis in consumer confidence because 
of phishing scams. But because of a new kind of SSL certificate, Web sites 
will be able to definitively demonstrate their identity, and customers 
will be able to confirm the identity of trusted sites. 
Extended Validation SSL (EV SSL) certificates represent more than a year's 
effort by an industry consortium called the CA/Browser Forum. These 
certificates became available last month for the benefit of Web businesses 
and site visitors. EV SSL certificates can facilitate online commerce by 
increasing visitor confidence and greatly reducing phishing's 
Many online shoppers understand that the little lock on the browser means 
transmissions are encrypted and therefore protected from spying eyes, but 
how do they know they reached a reputable site? 
Two issues must be addressed. The first is to identify a new category of 
SSL certificate that ensures a site owner's identity, and the second is a 
browser interface that makes it easy to see the identity when it's known 
and recognize when it isn't. EV SSL certificates are the new certificates 
in question. 
Click to see: Extended Validation SSL

The CA/Browser Forum, with more than 20 leading browser manufacturers and 
SSL providers, has created a standardized authentication process that any 
certificate authority must follow for EV certificates, including 
independent audit to confirm compliance. 
The forum built this process on existing practices demonstrated 
successfully in more than a decade of widespread use. The standard goes 
into great detail on three main authentication legs: organization, domain 
and requestor. 
The certificate authority must establish that the requesting organization 
is a legally established business or nonprofit on record with the local 
government. It must establish this organization's ownership or right to 
use the Web domain in question, and it must establish that the requesting 
individual is employed by the organization and has the authority to obtain 
SSL certificates. Each authentication step depends on independent, outside 
information obtained from reliable third-party sources. 
Once a certificate authority completes this authentication, it may issue a 
certificate with EV SSL status. This certificate operates exactly like a 
traditional SSL certificate. Browsers not built to recognize EV 
certificates (including Internet Explorer 6, Firefox 2 and their 
predecessors) behave as with non-EV certificates. New EV-compatible 
browsers, however, display these certificates in highly visible and 
informative ways, starting with Internet Explorer 7. 
Internet Explorer 7 has added interface conventions to enhance site owner 
identification, most obviously the green address bar. When an Internet 
Explorer 7 browser accesses a page with an EV SSL certificate, it changes 
the address bar's background to green, which indicates a site has 
undergone high-level identity authentication. 
Internet Explorer 7 also contains the security status bar. On pages with 
EV SSL certificates, it displays the organization name, which comes 
directly from the certificate. Because the certificate authority verified 
this name and the browser displays it in its own interface, visitors can 
rely on it. 
Internet Explorer 7 detects an EV certificate through a marker in the 
certificate called an OID. In real time the browser confirms that this SSL 
root has an EV OID in good standing and then displays the EV interface 
features. This architecture makes it possible to adjust a certificate 
authority's EV status in real time. For example, if a certificate 
authority consistently fails at reliably performing EV authentication, 
browsers could stop detecting these certificates as EV certificates, 
protecting the overall trustworthiness of EV SSL. 
Many industry watchers expect EV certificates to significantly hinder 
phishing and instill confidence in site visitors. By providing a reliable, 
highly visible indicator of site identity, this standard makes it possible 
for visitors to take control of their security. 
Callan is director of product marketing for VeriSign.
All contents copyright 1995-2007 Network World, Inc. 

(image/jpeg attachment: 01-part)

Received on Sunday, 14 January 2007 15:59:44 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:14:13 UTC