Talk:Extended Validation Certificate

From Wikipedia, the free encyclopedia

Contents 1 Has anybody found the spec for this? 2 Name is wrong 3 Version 1 of the EV Guidelines 4 Trouble 5 Verisign issuing invalid certificates? 6 OID table now covers 4 main vendors. Please make appropriate additions. 7 Exclusion of Small Businesses 8 Vulnerability to Phishing 9 Wrong Certification Practice Statement pointer for VeriSign? 10 Cite for GlobalSign needs improvement 11 DV, OV, and EV certs - who makes that distinction?

[edit] Has anybody found the spec for this?

Has anybody found the actual specification for "Extended Validation" certificates? That info should be here. It's not easy to find, and may not be public yet. --John Nagle 22:07, 25 October 2006 (UTC)

Yes, I would encourage someone with a neutral point of view and a good knowledge of cryptography to aggressively rewrite this article. I read the article hoping to find out what Extended Validation entails on a technical as opposed to a marketing level, and the existing press release text is unhelpful.--Eb Oesch 22:51, 25 October 2006 (UTC)

I'm trying to find out more about this, and all I can find are press releases. The "CA Browser Forum" does not appear to have a web site. There was a private meeting of the big players on September 20th, 2006, but no specs have appeared publicly that I can find. The American Bar Association, which is involved with the "CA Browser Forum", has a statement on how certificates ought to work legally[1] but it is from 2004, and not technically detailed. --John Nagle 01:33, 26 October 2006 (UTC)

I found this in http://cabforum.org/EV_Certificate_Guidelines_-_Draft_10-2...pdf:

certificate Policies

MUST be present and SHOULD NOT be marked critical. The set of

policyIdentifiers MUST include the identifier for the CA’s extended validation policy.

According to http://biz.yahoo.com/iw/061211/0193193.html

https://overstock.com should have such a great certificate.

I can find this policy in there:

2.16.840.1.113733.1.7.23.3

Is this what IE checks??? [Christian H.]

As of now, the certificate for "www.overstock.com" isn't a new one. It was issued on 2006-09-28. And it doesn't have some of the fields required for a High Assurance certificate. There's no corporate ID number or business street address. That OID is from 2003, and specifies a Verisign Class 3 certificate, which is good, but not High Assurance. --John Nagle 07:42, 28 December 2006 (UTC)

The spec is at http://cabforum.org/EV_Certificate_Guidelines.pdf although the document there is currently marked "DRAFT October 20, 2006" and "Version 1.0 - Draft 11". Morgan Collett 13:32, 16 January 2007 (UTC)

[edit] Name is wrong

Article should be Extended Validation Certificate, High Assurance should be a redirect, the article should not mention SSL as they are not only used for SSL. --Gorgonzilla 15:56, 7 November 2006 (UTC)

Incorrect; the EV Guidelines are specifically for SSL certificates. The CA/B Forum may address vetting regimes for other types of digital certificate in future. "High assurance" should not be used for EV as this term is used by some CAs (notably Comodo) for their standard organisational vetted certificates. -- Cryptoki 01:49, 27 January 2007 (UTC)

Nope. The guidelines do note that the current version only covers SSL uses, but future versions may cover other specifically listed protocols in the future. The title of the document is as stated, and I've moved the article. --NealMcB 00:03, 22 February 2007 (UTC)

[edit] Version 1 of the EV Guidelines

The CA/Browser Forum has posted a new Version 1 of the EV Guidelines, which addresses many of the issues crticised in earlier drafts. Notably, the Guidelines now allow EV certificates to be issued to non-corporate entities such as individuals and partnerships. http://www.cabforum.org/ --Cryptoki 18:00, 12 June 2007 (UTC)

[edit] Trouble

{{cv-unsure|68.39.174.238|2=http://en.wikipedia.org/w/index.php?title=Extended_Validation_%28High_Assurance%29_SSL_Certificates&oldid=77119283}} (Removed copyright warning template, since that issue was long since dealt with. Keeping the template puts the article in a category.)--John Nagle 03:28, 5 August 2007 (UTC)

This whole thing is phrased in a very strange manner. I strongly suspect it was copied from somewhere. 68.39.174.238 03:52, 30 December 2006 (UTC)

I don't see any evidence of copying. I searched Google with three unique-looking phrases from the article, and all the hits were from sites that are copies of Wikipedia. Even the original version of the article doesn't seem to be a copyvio. About ten editors have edited this article since, and the language has changed substantially. Why does the anon think this is a copy of something?

The "Woodgrove Bank" image is an edited screenshot of a dummy site Microsoft offers for testing. There is no "Woodgrove Bank". But that's an issue for the image, not the text. That demo image should probably be replaced anyway, once somebody actually brings up a web site with a High Assurance certificate. --John Nagle 06:51, 31 December 2006 (UTC)

Mellon Investor Services is using one of these certificates. Dgreenbe 16:28, 3 January 2007 (UTC)

No, it's not. See below. --John Nagle 19:13, 3 January 2007 (UTC)

there are EV certs at https://www.verisign.com and https://www.entrust.net. Cryptoki 01:51, 27 January 2007 (UTC)

The image used here is an edited screenshot of an EV cert. Someone may wish to take an image of an operational cert. - Cryptoki 12:08, 7 February 2007 (UTC)

[edit] Verisign issuing invalid certificates?

Verisign has issued at least one non-compliant Extended Validation certificate.

The certificate, which was issued for Mellon Investor Services, and can be seen on that site, has SUBJECT information as follows:

CN = www.melloninvestor.com

OU = Terms of use at www.verisign.com/rpa (c)05

OU = IT

O = Mellon Investor Services

L = Jersey City

ST = New Jersey

C = US

The "Jurisdiction of Incorporation" and "Registration Number" required by the standards at [2] are NOT present. That seems to be a violation of the standards.

The ISSUER is

CN = VeriSign Class 3 Secure Server CA

OU = Terms of use at https://www.verisign.com/rpa (c)05

OU = VeriSign Trust Network

O = VeriSign, Inc.

C = US

Interesting. Already Verisign seems to be breaking the rules. --John Nagle 18:22, 3 January 2007 (UTC)

I've been in touch with Verisign. That is not a "High Assurance with Extended Validation" certificate, according to Spiros Theodossiou of Verisign. --John Nagle 19:12, 3 January 2007 (UTC)

[edit] OID table now covers 4 main vendors. Please make appropriate additions.

I've added a table of the OID values which identify Extended Validation certificates. There's no unified way to identify EV certificates; each vendor has a different OID, silly though that is. There's no published table of this information yet, but each vendor's certification practice statement has their OID. So I've looked up the values for three major vendors and cited them appropriately. Please add to the table. Carefully, please. Find the Certification Practice Statement and cite the page from which the OID came. There's no public list of this information elsewhere, so people will use these numbers. --John Nagle 07:47, 14 January 2007 (UTC)

I've added Thawte's OID per their CPS. Unfortunately their page numbering is inconsistent, and restarts at 1 after page 93 - so page 95 is actually marked "2". Morgan Collett 13:13, 16 January 2007 (UTC)

The information from Quo Vadis doesn't seem to appear in their Certification Practice Statement, so I put a "citation needed" tag on that entry. --John Nagle 18:29, 17 January 2007 (UTC)

[edit] Exclusion of Small Businesses

• The title of this section should remain "Exclusion of Small Businesses". Changing it to "Encompassing Small Business" is misleading: the criticism of EV described in this section, widely discussed both online and in articles written about EV, is that small businesses are excluded. Ka-Ping Yee 00:20, 6 February 2007 (UTC)

• I have removed from this section the sentence "The CA/Browser Forum has indicated that work is underway to accommodate these entities in the next version of the EV Guidelines, expected in early 2007." It needs a source. If you can provide a reference to some sort of official statement by the CA/Browser Forum indicating these intentions, please add it. Thanks. Ka-Ping Yee 00:20, 6 February 2007 (UTC)

[edit] Vulnerability to Phishing

• Again, the concern here is specifically that EV will not stop phishing. The study specifically studied vulnerability to phishing attacks, so the title of the section should mention them. Ka-Ping Yee 00:27, 6 February 2007 (UTC)
• I removed the sentence "Browsers continue to develop enhancements to their user interface," as it's essentially content-free and sounds more like something that belongs in marketing documentation than a factual encyclopedia article. Ka-Ping Yee 00:27, 6 February 2007 (UTC)

[edit] Wrong Certification Practice Statement pointer for VeriSign?

The certificate you get from the URL https://www.verisign.com contains another CPS pointer than the one, which is displayed in the table in this article (see last entry, for VeriSign). Here is, what you find in the certificate: https://www.verisign.com/rpa. The content of that page seems not to be a CSP. But you may find another one at VeriSign's web pages: https://www.verisign.com/repository/CPS/VeriSignCPSv3.5.pdf. However, I tend to believe that sites CPS pointers point to should be secured by SSL/TLS as well. Zettmann 16:44, 20 September 2007 (UTC)

[edit] Cite for GlobalSign needs improvement

The cite for GlobalSign's OID is vague; it's a link to a page of various GlobalSign links. Unlike all the others, there's no page number. I can't find the OID in those documents.

It's worth keeping this detailed list accurate; as far as I know, there's still no other public collection of where all the OIDs for EV certs are defined. --John Nagle (talk) 05:18, 14 February 2008 (UTC)

[edit] DV, OV, and EV certs - who makes that distinction?

Someone linked to 'SSL 247'[3] which is a certificate reseller. They divide certificates into three categories.

• Domain validation (DV) - "Gives no 3rd party assurances as to who owns the website." This is what some issuers call "Quick SSL" - it doesn't validate much of anything.
• Organization validation (OV) - "Give end users 3rd party proof that the company who owns the website is legitimate. Identifies the company in question also." This requires some verification of business identity. Somewhat more expensive than DV.
• Extended validation (EV) - Like OV, but "activates the ‘green bar" in browsers. Much more expensive than OV or DV.

Most users, and browsers, don't distinguish between DV and OV. Globalsign has a similar classification [4][5]. StartSSL seems to use the terms "Class 1" and "Class 2" for "DV" and "OV".[6] We make that distinction internally within our SiteTruth system; lacking any standard to follow, we consider a cert with an "L" (location) field to be an OV cert.

Is this accepted nomenclature, or is this just Globalsign and their resellers? Is there a standard way to distinguish a DV cert from an OV cert? --John Nagle (talk) 17:40, 11 March 2008 (UTC)

This doesn't seem to be standard terminology, so it doesn't go in the article. Although it's not info suitable for Wikipedia, I've been exchanging E-mail with the CA Browser Forum, and they only do EV certs; they have no intention of dealing with any other cert related issues. --John Nagle (talk) 04:38, 13 March 2008 (UTC)