Extended Validation Certificate

An Extended Validation Certificate (EV) is an X.509 public key certificate issued according to a specific set of identity verification criteria. These criteria require extensive verification of the requesting entity's identity by the certificate authority (CA) before a certificate is issued. Certificates issued by a CA under the EV guidelines are not structurally different from other certificates (and hence provide no stronger cryptography than other, cheaper certificates), but are designated with a CA-specific policy identifier so that EV-aware software can recognize them.

The criteria for issuing EV certificates are defined by the Guidelines for Extended Validation Certificates, currently (as of May 2012) at version 1.4. The guidelines^[1] are produced by the CA/Browser Forum, a voluntary organization whose members include leading CAs and vendors of Internet software, as well as representatives from the legal and audit professions.^[2]

History

In 2005 Melih Abdulhayoglu, CEO of the Comodo Group, convened the first meeting of the organization that became the CA/Browser Forum, hoping to improve standards for issuing SSL certificates.^[3] On June 12, 2007, the CA/Browser Forum officially ratified the first version of the Extended Validation (EV) SSL Guidelines, which took effect immediately. The formal approval successfully brought to a close more than two years of effort, and provided the infrastructure for trusted Web site identity on the Internet. Then, in April 2008, the Forum announced version 1.1 of the Guidelines, building on the practical experience of its member CAs and Relying-Party Application Software Suppliers gained in the months since the first version was approved for use.

Motivation

An important motivation for using digital certificates with SSL was to add trust to online transactions by requiring website operators to undergo vetting with a certificate authority (CA) in order to get an SSL certificate. However, commercial pressures have led some CAs to introduce "domain validation only" SSL certificates for which minimal verification is performed of the details in the certificate.

Most browsers' user interfaces did not clearly differentiate between low-validation certificates and those that have undergone more rigorous vetting. Since any successful SSL connection causes the padlock icon to appear, users are not likely to be aware of whether the website owner has been validated or not. As a result, fraudsters (including phishing websites) have started to use SSL to add perceived credibility to their websites.

By establishing stricter issuing criteria and requiring consistent application of those criteria by all participating CAs, EV SSL certificates are intended to restore confidence among users that a website operator is a legally established business or organization with a verifiable identity.

That said, there is still the concern that the same lack of accountability that led to the loss of public confidence in ordinary certificates, will lead to lax certification practices that will erode the value of EV certificates as well.^[4]

Issuing criteria

Only CAs who pass an independent audit as part of their WebTrust (or equivalent) review may offer EV, and all CAs globally must follow the same detailed issuance requirements which aim to:

Establish the legal identity as well as the operational and physical presence of website owner;
Establish that the applicant is the domain name owner or has exclusive control over the domain name; and
Confirm the identity and authority of the individuals acting for the website owner, and that documents pertaining to legal obligations are signed by an authorised officer.

It is not possible to get a wildcard Extended Validation Certificate.

User interface

Browsers with EV support display more information for EV certificates than for previous SSL certificates. Microsoft Internet Explorer 7, Mozilla Firefox 3, Safari 3.2, Opera 9.5, and Google Chrome all provide EV support.

The Extended Validation guidelines require participating Certificate Authorities to assign a specific EV identifier, which is registered with the browser vendors who support EV once the Certificate Authority has completed an independent audit and met other criteria. The browser matches the EV identifier in the SSL certificate with the one it has registered for the CA in question: if they match, and the certificate is verified as current, the SSL certificate receives the enhanced EV display in the browser's user interface. In most implementations, the enhanced display includes:

The name of the company or entity that owns the certificate.
The name of the SSL Certificate Authority (CA) that issued the EV certificate.
A distinctive color, usually green, shown in the address bar to indicate that a valid EV certificate was received.

Compatibility

Most of the Extended Validation SSL Certificates are compatible with the following browsers:^{[citation needed]}

Google Chrome
IE 5.01+
AOL 5+
Mozilla 1+

Supported Mobile Device Browsers

Microsoft Pocket Internet Explorer
Palm / Handspring Blazer 2.0+
Blackberry
AT&T
Netfront 3.0+
Safari for iOS (iPhone 3GS and later)

Extended Validation supports all current releases of commercial and freeware web servers supporting SSL v.3. Supported servers include:

Apache + mod_ssl	Lotus Domino Go 4.6.2.6 and higher
Apache + Raven	Lotus Domino 4.6 and higher
Apache + Raven 1.5x	Microsoft Internet Information Server 4.0
Apache + SSLeay	Microsoft Internet Information Server 5.0
BEA WebLogic	Netscape Enterprise/Fast Track
C2Net Stronghold	O'Reilly WebSite Professional 2.X
Cobalt RaQ3/RaQ4 "Main Site"	Stronghold 3
Cobalt RaQ3 "Virtual Site"	WebSTAR 4
Cobalt RaQ4 "Virtual Site"	WebSTAR V
IBM HTTP	Zeus Web Server v3
iPlanet Enterprise Server 4.1

Extended Validation certificate identification

EV certificates are standard x.509 digital certificates. The primary way to identify an EV certificate is by referencing the Certificate Policies extension field. Each issuer uses a different object identifier (OID) in this field to identify their EV certificates, and each OID is documented in the issuer's Certification Practice Statement. As with root certificate authorities in general, browsers may not recognize all issuers.

Issuer	OID	Certification Practice Statement
AffirmTrust	`1.3.6.1.4.1.34697.2.1 1.3.6.1.4.1.34697.2.2 1.3.6.1.4.1.34697.2.3 1.3.6.1.4.1.34697.2.4`	AffirmTrust CPS v1.1, p. 4
A-Trust	`1.2.40.0.17.1.22`	a.sign SSL EV CPS v1.3.4
Buypass	`2.16.578.1.26.1.3.3`	Buypass Class 3 EV CPS, p. 10
Camerfirma	`1.3.6.1.4.1.17326.10.14.2.1.2 1.3.6.1.4.1.17326.10.8.12.1.2`	Camerfirma CPS v3.2.3
Comodo Group	`1.3.6.1.4.1.6449.1.2.1.5.1`	Comodo EV CPS, p. 28
DigiCert	`2.16.840.1.114412.2.1`	DigiCert EV CPS v. 1.0.3, p. 56
DigiNotar*	`2.16.528.1.1001.1.1.1.12.6.1.1.1`	DigiNotar CPS v 3.5, p. 2
Entrust	`2.16.840.1.114028.10.1.2`	Entrust EV CPS, p. 37
GeoTrust	`1.3.6.1.4.1.14370.1.6`	GeoTrust EV CPS v. 2.6, p. 28
GlobalSign	`1.3.6.1.4.1.4146.1.1`	GlobalSign EV CPS v. 6.5, p. 24
Go Daddy	`2.16.840.1.114413.1.7.23.3`	Go Daddy EV CPS v. 2.0, p. 42
Izenpe	`1.3.6.1.4.1.14777.6.1.1 1.3.6.1.4.1.14777.6.1.2`	DOCUMENTACIÓN ESPECÍFICA PARA EL CERTIFICADO DE SERVIDOR SEGURO SSL EV, p. 5 DOCUMENTACIÓN ESPECÍFICA PARA EL CERTIFICADO DE SEDE ELECTRÓNICA EV, p. 5
Keynectis	`1.3.6.1.4.1.22234.2.5.2.3.1`	KEYNECTIS EV CA CPS v 0.3, p. 10
Network Solutions	`1.3.6.1.4.1.782.1.2.1.8.1`	Network Solutions EV CPS v. 1.1, 2.4.1
QuoVadis	`1.3.6.1.4.1.8024.0.2.100.1.2`	QuoVadis Root CA2 CP/CPS, p. 34
SECOM Trust Systems	`1.2.392.200091.100.721.1`	SECOM Trust Systems EV CPS (in Japanese), p. 2
Starfield Technologies	`2.16.840.1.114414.1.7.23.3`	Starfield EV CPS v. 2.0, p. 42
StartCom Certification Authority	`1.3.6.1.4.1.23223.2 1.3.6.1.4.1.23223.1.1.1`	StartCom CPS, no. 4
SwissSign	`2.16.756.1.89.1.2.1.1`	SwissSign Gold CA-G2 CP/CPS, p. 7
Thawte	`2.16.840.1.113733.1.7.48.1`	Thawte EV CPS v. 3.3, p. 95
Trustwave**	`2.16.840.1.114404.1.1.2.4.1`	SecureTrust EV CPS v1.1.1, p. 5
VeriSign	`2.16.840.1.113733.1.7.23.6`	VeriSign EV CPS v. 3.3, p. 87
Verizon Business (formerly Cybertrust)	`1.3.6.1.4.1.6334.1.100.1`	Cybertrust CPS v.5.2, p. 20

Online Certificate Status Protocol

The criteria for issuing Extended Validation certificates do not require issuing Certificate Authorities to immediately support Online Certificate Status Protocol for revocation checking. However, the requirement for a timely response to revocation checks by the browser has prompted most Certificate Authorities that had not previously done so to implement OCSP support. Section 26-A of the issuing criteria requires CAs to support OCSP checking for all certificates issued after Dec. 31, 2010.

Criticism

Availability to small businesses

Since EV certificates are being promoted and reported^[5] as a mark of a trustworthy website, some small business owners have voiced concerns^[6] that EV certificates give undue advantage to large businesses. The published drafts of the EV Guidelines excluded unincorporated business entities, and early media reports^[6] focused on that issue. Version 1.0 of the EV Guidelines was revised to embrace unincorporated associations as long as they were registered with a recognized agency, greatly expanding the number of organizations that qualified for an Extended Validation Certificate.

Effectiveness against phishing attacks

In 2006, researchers at Stanford University and Microsoft Research conducted a usability study^[7] of the EV display in Internet Explorer 7. Their paper concluded that "participants who received no training in browser security features did not notice the extended validation indicator and did not outperform the control group", whereas "participants who were asked to read the Internet Explorer help file were more likely to classify both real and fake sites as legitimate".

References

^ Guidelines for Extended Validation Certificates
^ CA/Browser Forum Members
^ http://www.eweek.com/c/a/Security/How-Can-We-Improve-Code-Signing/
^ Hagai Bar-El. "The Inevitable Collapse of the Certificate Model". Hagai Bar-El on Security.
^ Evers, Joris (February 2, 2007). "IE 7 gives secure Web sites the green light". CNet. Retrieved 2010-02-27. The colored address bar, a new weapon in the fight against phishing scams, is meant as a sign that a site can be trusted, giving Web surfers the green light to carry out transactions there.
^ ^a ^b Richmond, Riva (December 19, 2006). "Software to Spot 'Phishers' Irks Small Concerns". The Wall Street Journal. Retrieved 2010-02-27.
^ Jackson, Collin. "An Evaluation of Extended Validation and Picture-in-Picture Phishing Attacks" (PDF). Usable Security 2007. {{cite conference}}: Unknown parameter |booktitle= ignored (|book-title= suggested) (help); Unknown parameter |coauthors= ignored (|author= suggested) (help)

External links

[1] Guidelines for Extended Validation Certificates

[2] CA/Browser Forum Members

[3] ttp://www.eweek.com/c/a/Security/How-Can-We-Improve-Code-Signing/

[4] Hagai Bar-El. "The Inevitable Collapse of the Certificate Model". Hagai Bar-El on Security.

[5] Evers, Joris (February 2, 2007). "IE 7 gives secure Web sites the green light". CNet. Retrieved 2010-02-27. The colored address bar, a new weapon in the fight against phishing scams, is meant as a sign that a site can be trusted, giving Web surfers the green light to carry out transactions there.

[wsj-phishers-6] Richmond, Riva (December 19, 2006). "Software to Spot 'Phishers' Irks Small Concerns". The Wall Street Journal. Retrieved 2010-02-27.

[7] Jackson, Collin. "An Evaluation of Extended Validation and Picture-in-Picture Phishing Attacks" (PDF). Usable Security 2007. {{cite conference}}: Unknown parameter |booktitle= ignored (|book-title= suggested) (help); Unknown parameter |coauthors= ignored (|author= suggested) (help)

[1]

[2]

[3]

[4]

[5]

[6]

[7]