Talk:Extended Validation Certificate

From Wikipedia, the free encyclopedia
Jump to navigation Jump to search

Has anybody found the spec for this?[edit]

Has anybody found the actual specification for "Extended Validation" certificates? That info should be here. It's not easy to find, and may not be public yet. --John Nagle 22:07, 25 October 2006 (UTC)

Yes, I would encourage someone with a neutral point of view and a good knowledge of cryptography to aggressively rewrite this article. I read the article hoping to find out what Extended Validation entails on a technical as opposed to a marketing level, and the existing press release text is unhelpful.--Eb Oesch 22:51, 25 October 2006 (UTC)

I'm trying to find out more about this, and all I can find are press releases. The "CA Browser Forum" does not appear to have a web site. There was a private meeting of the big players on September 20th, 2006, but no specs have appeared publicly that I can find. The American Bar Association, which is involved with the "CA Browser Forum", has a statement on how certificates ought to work legally[1] but it is from 2004, and not technically detailed. --John Nagle 01:33, 26 October 2006 (UTC)
I found this in http://cabforum.org/EV_Certificate_Guidelines_-_Draft_10-2...pdf:
certificate Policies
MUST be present and SHOULD NOT be marked critical. The set of

policyIdentifiers MUST include the identifier for the CA’s extended validation policy.

According to http://biz.yahoo.com/iw/061211/0193193.html
https://overstock.com should have such a great certificate.
I can find this policy in there:

2.16.840.1.113733.1.7.23.3

Is this what IE checks??? [Christian H.]
As of now, the certificate for "www.overstock.com" isn't a new one. It was issued on 2006-09-28. And it doesn't have some of the fields required for a High Assurance certificate. There's no corporate ID number or business street address. That OID is from 2003, and specifies a Verisign Class 3 certificate, which is good, but not High Assurance. --John Nagle 07:42, 28 December 2006 (UTC)

The spec is at http://cabforum.org/EV_Certificate_Guidelines.pdf although the document there is currently marked "DRAFT October 20, 2006" and "Version 1.0 - Draft 11". Morgan Collett 13:32, 16 January 2007 (UTC)

Name is wrong[edit]

Article should be Extended Validation Certificate, High Assurance should be a redirect, the article should not mention SSL as they are not only used for SSL. --Gorgonzilla 15:56, 7 November 2006 (UTC)

Incorrect; the EV Guidelines are specifically for SSL certificates. The CA/B Forum may address vetting regimes for other types of digital certificate in future. "High assurance" should not be used for EV as this term is used by some CAs (notably Comodo) for their standard organisational vetted certificates. -- Cryptoki 01:49, 27 January 2007 (UTC)
Nope. The guidelines do note that the current version only covers SSL uses, but future versions may cover other specifically listed protocols in the future. The title of the document is as stated, and I've moved the article. --NealMcB 00:03, 22 February 2007 (UTC)

Version 1 of the EV Guidelines[edit]

The CA/Browser Forum has posted a new Version 1 of the EV Guidelines, which addresses many of the issues crticised in earlier drafts. Notably, the Guidelines now allow EV certificates to be issued to non-corporate entities such as individuals and partnerships. http://www.cabforum.org/ --Cryptoki 18:00, 12 June 2007 (UTC)

Trouble[edit]

{{cv-unsure|68.39.174.238|2=http://en.wikipedia.org/w/index.php?title=Extended_Validation_%28High_Assurance%29_SSL_Certificates&oldid=77119283}} (Removed copyright warning template, since that issue was long since dealt with. Keeping the template puts the article in a category.)--John Nagle 03:28, 5 August 2007 (UTC)

This whole thing is phrased in a very strange manner. I strongly suspect it was copied from somewhere. 68.39.174.238 03:52, 30 December 2006 (UTC)

I don't see any evidence of copying. I searched Google with three unique-looking phrases from the article, and all the hits were from sites that are copies of Wikipedia. Even the original version of the article doesn't seem to be a copyvio. About ten editors have edited this article since, and the language has changed substantially. Why does the anon think this is a copy of something?
The "Woodgrove Bank" image is an edited screenshot of a dummy site Microsoft offers for testing. There is no "Woodgrove Bank". But that's an issue for the image, not the text. That demo image should probably be replaced anyway, once somebody actually brings up a web site with a High Assurance certificate. --John Nagle 06:51, 31 December 2006 (UTC)
Mellon Investor Services is using one of these certificates. Dgreenbe 16:28, 3 January 2007 (UTC)
No, it's not. See below. --John Nagle 19:13, 3 January 2007 (UTC)
there are EV certs at https://www.verisign.com and https://www.entrust.net. Cryptoki 01:51, 27 January 2007 (UTC)
The image used here is an edited screenshot of an EV cert. Someone may wish to take an image of an operational cert. - Cryptoki 12:08, 7 February 2007 (UTC)

Verisign issuing invalid certificates?[edit]

Verisign has issued at least one non-compliant Extended Validation certificate.

The certificate, which was issued for Mellon Investor Services, and can be seen on that site, has SUBJECT information as follows:

CN = www.melloninvestor.com
OU = Terms of use at www.verisign.com/rpa (c)05
OU = IT
O = Mellon Investor Services
L = Jersey City
ST = New Jersey
C = US

The "Jurisdiction of Incorporation" and "Registration Number" required by the standards at [2] are NOT present. That seems to be a violation of the standards.

The ISSUER is

CN = VeriSign Class 3 Secure Server CA
OU = Terms of use at https://www.verisign.com/rpa (c)05
OU = VeriSign Trust Network
O = VeriSign, Inc.
C = US

Interesting. Already Verisign seems to be breaking the rules. --John Nagle 18:22, 3 January 2007 (UTC)

I've been in touch with Verisign. That is not a "High Assurance with Extended Validation" certificate, according to Spiros Theodossiou of Verisign. --John Nagle 19:12, 3 January 2007 (UTC)

OID table now covers 4 main vendors. Please make appropriate additions.[edit]

I've added a table of the OID values which identify Extended Validation certificates. There's no unified way to identify EV certificates; each vendor has a different OID, silly though that is. There's no published table of this information yet, but each vendor's certification practice statement has their OID. So I've looked up the values for three major vendors and cited them appropriately. Please add to the table. Carefully, please. Find the Certification Practice Statement and cite the page from which the OID came. There's no public list of this information elsewhere, so people will use these numbers. --John Nagle 07:47, 14 January 2007 (UTC)

I've added Thawte's OID per their CPS. Unfortunately their page numbering is inconsistent, and restarts at 1 after page 93 - so page 95 is actually marked "2". Morgan Collett 13:13, 16 January 2007 (UTC)
The information from Quo Vadis doesn't seem to appear in their Certification Practice Statement, so I put a "citation needed" tag on that entry. --John Nagle 18:29, 17 January 2007 (UTC)

The OID presented as "EV policy" is registered at IANA enterprise-numbers. Some sites, www.oid-info.com, provides the owner and the registered OID trees. —Preceding unsigned comment added by 189.127.6.234 (talk) 15:29, 22 October 2010 (UTC)

Exclusion of Small Businesses[edit]

  • The title of this section should remain "Exclusion of Small Businesses". Changing it to "Encompassing Small Business" is misleading: the criticism of EV described in this section, widely discussed both online and in articles written about EV, is that small businesses are excluded. Ka-Ping Yee 00:20, 6 February 2007 (UTC)
  • I have removed from this section the sentence "The CA/Browser Forum has indicated that work is underway to accommodate these entities in the next version of the EV Guidelines, expected in early 2007." It needs a source. If you can provide a reference to some sort of official statement by the CA/Browser Forum indicating these intentions, please add it. Thanks. Ka-Ping Yee 00:20, 6 February 2007 (UTC)

Vulnerability to Phishing[edit]

  • Again, the concern here is specifically that EV will not stop phishing. The study specifically studied vulnerability to phishing attacks, so the title of the section should mention them. Ka-Ping Yee 00:27, 6 February 2007 (UTC)
  • I removed the sentence "Browsers continue to develop enhancements to their user interface," as it's essentially content-free and sounds more like something that belongs in marketing documentation than a factual encyclopedia article. Ka-Ping Yee 00:27, 6 February 2007 (UTC)

Wrong Certification Practice Statement pointer for VeriSign?[edit]

The certificate you get from the URL https://www.verisign.com contains another CPS pointer than the one, which is displayed in the table in this article (see last entry, for VeriSign). Here is, what you find in the certificate: https://www.verisign.com/rpa. The content of that page seems not to be a CSP. But you may find another one at VeriSign's web pages: https://www.verisign.com/repository/CPS/VeriSignCPSv3.5.pdf. However, I tend to believe that sites CPS pointers point to should be secured by SSL/TLS as well. Zettmann 16:44, 20 September 2007 (UTC)

Cite for GlobalSign needs improvement[edit]

The cite for GlobalSign's OID is vague; it's a link to a page of various GlobalSign links. Unlike all the others, there's no page number. I can't find the OID in those documents.

It's worth keeping this detailed list accurate; as far as I know, there's still no other public collection of where all the OIDs for EV certs are defined. --John Nagle (talk) 05:18, 14 February 2008 (UTC)

DV, OV, and EV certs - who makes that distinction?[edit]

Someone linked to 'SSL 247'[3] which is a certificate reseller. They divide certificates into three categories.

  • Domain validation (DV) - "Gives no 3rd party assurances as to who owns the website." This is what some issuers call "Quick SSL" - it doesn't validate much of anything.
  • Organization validation (OV) - "Give end users 3rd party proof that the company who owns the website is legitimate. Identifies the company in question also." This requires some verification of business identity. Somewhat more expensive than DV.
  • Extended validation (EV) - Like OV, but "activates the ‘green bar" in browsers. Much more expensive than OV or DV.

Most users, and browsers, don't distinguish between DV and OV. Globalsign has a similar classification [4][5]. StartSSL seems to use the terms "Class 1" and "Class 2" for "DV" and "OV".[6] We make that distinction internally within our SiteTruth system; lacking any standard to follow, we consider a cert with an "L" (location) field to be an OV cert.

Is this accepted nomenclature, or is this just Globalsign and their resellers? Is there a standard way to distinguish a DV cert from an OV cert? --John Nagle (talk) 17:40, 11 March 2008 (UTC)

This doesn't seem to be standard terminology, so it doesn't go in the article. Although it's not info suitable for Wikipedia, I've been exchanging E-mail with the CA Browser Forum, and they only do EV certs; they have no intention of dealing with any other cert related issues. --John Nagle (talk) 04:38, 13 March 2008 (UTC)

I know Comodo makes that distinction. Katharine908 (talk) 16:48, 21 July 2009 (UTC)

This technology isn't as great as it may seem.[edit]

This technology isn't as great as it may seem. The biggest problem with it is that it only adds another authority figure with the keys and ability to issue the coveted EV approval. It has no significant technological advantage over crypt standards already being used, and it promotes the chain of trust instead of the web of trust. I think its a scam to be honest. In fact, I'm going to apply for my own OID and call it cAShakeMoneyHands, a superior mark only available to the richest webmasters, and it will be way more valuable than the EV bit. The only think I need to do is buy in on the browser idiocy scam, maybe offer some stock under the table. Template:Unsigned-anon 96.13.29.139

It's not a "technology" at all, except for the part of the browser that says "make this thingy green now". The certificates are technically identical to "reduced validation" certificates, they just have a bit that says "I'm EV! Trust me!". A business performs the validations. That's business, not technology. --76.247.105.43 (talk) 21:41, 25 March 2009 (UTC)

Added image and Description[edit]

I have added a new image taken on IE 8 and Firefox 3.5 and edited the description that was "no longer turns yellow to indicate a secure connection" to "turns Green color to indicate a secure connection". Lakshmi VB Narsimhan 09:34, 21 July 2009 (UTC)

Another Image Added[edit]

I have also added an image an EV Certificate (PayPal's), yet numerous times they have been removed. I have taken the screenshot myself, and I doubt that PayPal care about this image. If someone or a bot removes this I will be editing the name out. Thompson.matthew (talk) 03:07, 25 December 2009 (UTC)

Added more information about Tec-ED research[edit]

The section on the study that Tec-Ed conducted on user responses to the EV "green bar" was missing some very significant information about how the study was conducted -- information that reduce the study's reliability to a level that is probably below what would be considered acceptable in an academic context.

Methodological flaws include:

  • The two web site mock-ups with and with EV and without EV had radically different graphic designs, color palettes, and content. The effect of design on conversion rates and visitor confidence is well established.
  • Subjects were selected to have a high degree of familiarity with and concern about internet security, so the results are not applicable to the general internet-shopping public.
  • The researchers called the subjects' attention to the 'security features' at the top of the browser, then explained to them what the green bar meant and how it indicated increased security before asking them questions about it.


The study in question is titled "Extended Validation and VeriSign Brand" and includes questions that deal exclusively with brand recognition of VeriSign, a major provider of EV SSL services, and is available on the VeriSign web site. Though it is not mentioned in the white paper, it seems obvious that the research was funded by VeriSign. This doesn't invalidate its results by itself, but in combination with the methodological problems mentioned above, the funding source could lead to some suspicions about the objectivity of the research. —Preceding unsigned comment added by 207.194.3.2 (talk) 22:24, 26 February 2010 (UTC)

Restored certificate identification data[edit]

Restored the certificate identification data section. There was some controversy over listing prices, so I left those out, but the table of OIDs which identify an EV certificate is useful.

The only way to identify an EV certificate is to have a table of the OID values used by each CA. That table is hard to obtain. Wikipedia is one of the very few public places where that data is available. --John Nagle (talk) 05:47, 16 February 2011 (UTC)

Full refresh needed?[edit]

This page seems to have ongoing relevance and I agree with John that the OIDs are helpful. Not sure if the consensus is that the neutrality issue has been resolved, but the whole article does seem to need a refresh. The business has changed with Symantec now owning VeriSign, Thawte, GeoTrust and RapidSSL. Our organization uses thawte, and checking the reference for the CPS, I found it quite out of date (link is dead, and their current version of the CPS is 3.7.3 (6 versions since 3.3, though some minor). I updated the CA/Browser link, but would have to spend a bit of time updating the whole page. Do people think a refresh would be useful, or are we in the final stages before the predicted "inevitable collapes" and should let this page slowly collapse with it? (I'm not en experienced editor, but I'm willing to take a crack if I can find some spare time.) Wigbold (talk) 13:32, 16 June 2011 (UTC)

Changes at CA/Browser forum[edit]

The CA/Browser forum seems to be making some major changes, but they're hard to figure out. First, they now recognize three levels of certificate: "domain-validated", "organizationally validated", and "extended validation".[7] There was some discussion on this talk page previously about some CAs making similar distinctions, but there was no standard. Now, there is, sort of. That's probably worth a mention in the article.

Second, the CA/Browser forum seems to be trying to establish itself as the standards authority for all CA-issued certificates used for web browsing (as opposed to code signing, email, etc.)[8] They have a draft [9] of a standard for issuance of all browser-trusted certs. Previously, the IETF standardized that. More on this later. --John Nagle (talk) 19:41, 7 August 2011 (UTC)

Mozilla list of EV cert OIDs[edit]

The list of valid EV OIDs used by Mozilla/Firefox is actually compiled into the code for Firefox. It can be found here.[10]. Using that data in Wikipedia, though, might be OR, although we can link to it. --John Nagle (talk) 17:04, 30 March 2012 (UTC)

Stars[edit]

In the OID list there is 1 star sign at "DigiNotar*" and 2 star signs at "TrustWave**", but nowhere is a footnote what "*" and "**" means. Also, the "Web browsers" section is shown inside the OID-table (left column) which looks very weird once expanded (using latest IE). Someone else has this issue? --217.229.1.88 (talk) 22:39, 27 June 2012 (UTC)

Certum revert[edit]

The following revert http://en.wikipedia.org/w/index.php?title=Extended_Validation_Certificate&diff=499678826&oldid=499670486 with the note "No indication of notability" seems to be ignorant. CERTUM is one of Poland's largest CAs and it is trusted in all major browsers as well as Windows. Therefore it is used as popular AuthentiCode CA and used for many OpenSource projects since they give free certificates to OpenSource developers (e.g. the developers of TurtoiseSVN). I do not see any reason why this article should not contain this OID since it is a valid EV OID by an international trusted CA. So please re-add this edit. --79.255.123.170 (talk) 03:44, 27 July 2012 (UTC)

DV, OV, and EV certs[edit]

There have been some changes since 2012. The CA/Browser Forum issued "Baseline Requirements" for all certs, effective July 2012.[11] The new rules now recognize "DV" (Domain Validated), "OV" (Organization Validated), "IV" (Individual person Validated) and "EV" (Extended Validation) certificates. Associated with this are new OIDs for OV certificates, one per CA, which work the same way EV OIDs work. As for EV OIDs, the CA-specific OIDs are in each CA's Certification Practice Statement.

So what do we do to the article? Add a column or two to the big table in this article? Or should this go in CA/Browser Forum, or somewhere else. One consolidated table is more useful than several, spread over multiple articles. Comments? John Nagle (talk) 18:21, 27 October 2014 (UTC)

External links modified[edit]

Hello fellow Wikipedians,

I have just added archive links to 2 external links on Extended Validation Certificate. Please take a moment to review my edit. If necessary, add {{cbignore}} after the link to keep me from modifying it. Alternatively, you can add {{nobots|deny=InternetArchiveBot}} to keep me off the page altogether. I made the following changes:

When you have finished reviewing my changes, please set the checked parameter below to true to let others know.

☑Y An editor has reviewed this edit and fixed any errors that were found.

  • If you have discovered URLs which were erroneously considered dead by the bot, you can report them with this tool.
  • If you found an error with any archives or the URLs themselves, you can fix them with this tool.


Cheers.—cyberbot IITalk to my owner:Online 18:38, 31 December 2015 (UTC)

EV certs fault of CAs' lower validation for normal certs? In the end it was a good thing.[edit]

think about it. had normal certs still the validation needs and price of an EV then

a) Individuals couldn't get an SSL cert

b) smaller businesses might have a problem with the prices

in short SSL wouldn't be where it is today. Without pure domain Validation, things like StartSSL or Let's Encrypt wouldn't even exist which gives indivuiduals and web communities a very nice way to use HTTPS so their Users' Passwords wont be seen, while keeping a high validation standard that is visible to the users for Banks and similar stuff. and with banks trying to teach their web users to watch for the green bar, phishing via impersonation gets harder.

also since EV certs (unlike normal certs) enforce revocation checks (unlike normal certs because the outage would be too high if they would be enforced and the OCSP/CRL is offline for whatever reason).

Prople might say that EVs are "just a way to get their high prices and lost standards back", but in the end, the lowering of the cert prices and even creating free CAs made ssl popular enough that browsers can be starting to think about to mark plain HTTP sites as insecure.

My1 09:08, 10 February 2016 (UTC)

External links modified[edit]

Hello fellow Wikipedians,

I have just modified one external link on Extended Validation Certificate. Please take a moment to review my edit. If you have any questions, or need the bot to ignore the links, or the page altogether, please visit this simple FaQ for additional information. I made the following changes:

When you have finished reviewing my changes, please set the checked parameter below to true or failed to let others know (documentation at {{Sourcecheck}}).

As of February 2018, "External links modified" talk page sections are no longer generated or monitored by InternetArchiveBot. No special action is required regarding these talk page notices, other than regular verification using the archive tool instructions below. Editors have permission to delete these "External links modified" talk page sections if they want to de-clutter talk pages, but see the RfC before doing mass systematic removals. This message is updated dynamically through the template {{sourcecheck}} (last update: 15 July 2018).

  • If you have discovered URLs which were erroneously considered dead by the bot, you can report them with this tool.
  • If you found an error with any archives or the URLs themselves, you can fix them with this tool.


Cheers.—cyberbot IITalk to my owner:Online 04:29, 23 June 2016 (UTC)

External links modified[edit]

Hello fellow Wikipedians,

I have just modified one external link on Extended Validation Certificate. Please take a moment to review my edit. If you have any questions, or need the bot to ignore the links, or the page altogether, please visit this simple FaQ for additional information. I made the following changes:

When you have finished reviewing my changes, you may follow the instructions on the template below to fix any issues with the URLs.

As of February 2018, "External links modified" talk page sections are no longer generated or monitored by InternetArchiveBot. No special action is required regarding these talk page notices, other than regular verification using the archive tool instructions below. Editors have permission to delete these "External links modified" talk page sections if they want to de-clutter talk pages, but see the RfC before doing mass systematic removals. This message is updated dynamically through the template {{sourcecheck}} (last update: 15 July 2018).

  • If you have discovered URLs which were erroneously considered dead by the bot, you can report them with this tool.
  • If you found an error with any archives or the URLs themselves, you can fix them with this tool.


Cheers.—InternetArchiveBot (Report bug) 11:37, 26 September 2017 (UTC)

External links modified (January 2018)[edit]

Hello fellow Wikipedians,

I have just modified one external link on Extended Validation Certificate. Please take a moment to review my edit. If you have any questions, or need the bot to ignore the links, or the page altogether, please visit this simple FaQ for additional information. I made the following changes:

When you have finished reviewing my changes, you may follow the instructions on the template below to fix any issues with the URLs.

As of February 2018, "External links modified" talk page sections are no longer generated or monitored by InternetArchiveBot. No special action is required regarding these talk page notices, other than regular verification using the archive tool instructions below. Editors have permission to delete these "External links modified" talk page sections if they want to de-clutter talk pages, but see the RfC before doing mass systematic removals. This message is updated dynamically through the template {{sourcecheck}} (last update: 15 July 2018).

  • If you have discovered URLs which were erroneously considered dead by the bot, you can report them with this tool.
  • If you found an error with any archives or the URLs themselves, you can fix them with this tool.


Cheers.—InternetArchiveBot (Report bug) 11:15, 20 January 2018 (UTC)