Talk:Extended Validation Certificate

From Wikipedia, the free encyclopedia

Contents 1 Has anybody found the spec for this? 2 Name is wrong 3 Trouble 4 Verisign issuing invalid certificates? 5 OID table now covers 4 main vendors. Please make appropriate additions. 6 Exclusion of Small Businesses 7 Vulnerability to Phishing

[edit] Has anybody found the spec for this?

Has anybody found the actual specification for "Extended Validation" certificates? That info should be here. It's not easy to find, and may not be public yet. --John Nagle 22:07, 25 October 2006 (UTC)

Yes, I would encourage someone with a neutral point of view and a good knowledge of cryptography to aggressively rewrite this article. I read the article hoping to find out what Extended Validation entails on a technical as opposed to a marketing level, and the existing press release text is unhelpful.--Eb Oesch 22:51, 25 October 2006 (UTC)

I'm trying to find out more about this, and all I can find are press releases. The "CA Browser Forum" does not appear to have a web site. There was a private meeting of the big players on September 20th, 2006, but no specs have appeared publicly that I can find. The American Bar Association, which is involved with the "CA Browser Forum", has a statement on how certificates ought to work legally[1] but it is from 2004, and not technically detailed. --John Nagle 01:33, 26 October 2006 (UTC)

I found this in http://cabforum.org/EV_Certificate_Guidelines_-_Draft_10-2...pdf:

certificate Policies

MUST be present and SHOULD NOT be marked critical. The set of

policyIdentifiers MUST include the identifier for the CA’s extended validation policy.

According to http://biz.yahoo.com/iw/061211/0193193.html

https://overstock.com should have such a great certificate.

I can find this policy in there:

2.16.840.1.113733.1.7.23.3

Is this what IE checks??? [Christian H.]

As of now, the certificate for "www.overstock.com" isn't a new one. It was issued on 2006-09-28. And it doesn't have some of the fields required for a High Assurance certificate. There's no corporate ID number or business street address. That OID is from 2003, and specifies a Verisign Class 3 certificate, which is good, but not High Assurance. --John Nagle 07:42, 28 December 2006 (UTC)

The spec is at http://cabforum.org/EV_Certificate_Guidelines.pdf although the document there is currently marked "DRAFT October 20, 2006" and "Version 1.0 - Draft 11". Morgan Collett 13:32, 16 January 2007 (UTC)

[edit] Name is wrong

Article should be Extended Validation Certificate, High Assurance should be a redirect, the article should not mention SSL as they are not only used for SSL. --Gorgonzilla 15:56, 7 November 2006 (UTC)

Incorrect; the EV Guidelines are specifically for SSL certificates. The CA/B Forum may address vetting regimes for other types of digital certificate in future. "High assurance" should not be used for EV as this term is used by some CAs (notably Comodo) for their standard organisational vetted certificates. -- Cryptoki 01:49, 27 January 2007 (UTC)

Nope. The guidelines do note that the current version only covers SSL uses, but future versions may cover other specifically listed protocols in the future. The title of the document is as stated, and I've moved the article. --NealMcB 00:03, 22 February 2007 (UTC)

[edit] Trouble

68.39.174.238 suspects that this article (specifically this version) is a copyright violation, but without a source this can not be definitively determined. If this article can be shown to be a copyright infringement, please list the article on Wikipedia:Copyright problems. If you are certain that the article is not a copyright violation, you should give evidence below. Please do not remove this tag without discussion.

This whole thing is phrased in a very strange manner. I strongly suspect it was copied from somewhere. 68.39.174.238 03:52, 30 December 2006 (UTC)

I don't see any evidence of copying. I searched Google with three unique-looking phrases from the article, and all the hits were from sites that are copies of Wikipedia. Even the original version of the article doesn't seem to be a copyvio. About ten editors have edited this article since, and the language has changed substantially. Why does the anon think this is a copy of something?

The "Woodgrove Bank" image is an edited screenshot of a dummy site Microsoft offers for testing. There is no "Woodgrove Bank". But that's an issue for the image, not the text. That demo image should probably be replaced anyway, once somebody actually brings up a web site with a High Assurance certificate. --John Nagle 06:51, 31 December 2006 (UTC)

Mellon Investor Services is using one of these certificates. Dgreenbe 16:28, 3 January 2007 (UTC)

No, it's not. See below. --John Nagle 19:13, 3 January 2007 (UTC)

there are EV certs at https://www.verisign.com and https://www.entrust.net. Cryptoki 01:51, 27 January 2007 (UTC)

The image used here is an edited screenshot of an EV cert. Someone may wish to take an image of an operational cert. - Cryptoki 12:08, 7 February 2007 (UTC)

[edit] Verisign issuing invalid certificates?

Verisign has issued at least one non-compliant Extended Validation certificate.

The certificate, which was issued for Mellon Investor Services, and can be seen on that site, has SUBJECT information as follows:

CN = www.melloninvestor.com

OU = Terms of use at www.verisign.com/rpa (c)05

OU = IT

O = Mellon Investor Services

L = Jersey City

ST = New Jersey

C = US

The "Jurisdiction of Incorporation" and "Registration Number" required by the standards at [2] are NOT present. That seems to be a violation of the standards.

The ISSUER is

CN = VeriSign Class 3 Secure Server CA

OU = Terms of use at https://www.verisign.com/rpa (c)05

OU = VeriSign Trust Network

O = VeriSign, Inc.

C = US

Interesting. Already Verisign seems to be breaking the rules. --John Nagle 18:22, 3 January 2007 (UTC)

I've been in touch with Verisign. That is not a "High Assurance with Extended Validation" certificate, according to Spiros Theodossiou of Verisign. --John Nagle 19:12, 3 January 2007 (UTC)

[edit] OID table now covers 4 main vendors. Please make appropriate additions.

I've added a table of the OID values which identify Extended Validation certificates. There's no unified way to identify EV certificates; each vendor has a different OID, silly though that is. There's no published table of this information yet, but each vendor's certification practice statement has their OID. So I've looked up the values for three major vendors and cited them appropriately. Please add to the table. Carefully, please. Find the Certification Practice Statement and cite the page from which the OID came. There's no public list of this information elsewhere, so people will use these numbers. --John Nagle 07:47, 14 January 2007 (UTC)

I've added Thawte's OID per their CPS. Unfortunately their page numbering is inconsistent, and restarts at 1 after page 93 - so page 95 is actually marked "2". Morgan Collett 13:13, 16 January 2007 (UTC)

The information from Quo Vadis doesn't seem to appear in their Certification Practice Statement, so I put a "citation needed" tag on that entry. --John Nagle 18:29, 17 January 2007 (UTC)

[edit] Exclusion of Small Businesses

• The title of this section should remain "Exclusion of Small Businesses". Changing it to "Encompassing Small Business" is misleading: the criticism of EV described in this section, widely discussed both online and in articles written about EV, is that small businesses are excluded. Ka-Ping Yee 00:20, 6 February 2007 (UTC)

• I have removed from this section the sentence "The CA/Browser Forum has indicated that work is underway to accommodate these entities in the next version of the EV Guidelines, expected in early 2007." It needs a source. If you can provide a reference to some sort of official statement by the CA/Browser Forum indicating these intentions, please add it. Thanks. Ka-Ping Yee 00:20, 6 February 2007 (UTC)

[edit] Vulnerability to Phishing

• Again, the concern here is specifically that EV will not stop phishing. The study specifically studied vulnerability to phishing attacks, so the title of the section should mention them. Ka-Ping Yee 00:27, 6 February 2007 (UTC)
• I removed the sentence "Browsers continue to develop enhancements to their user interface," as it's essentially content-free and sounds more like something that belongs in marketing documentation than a factual encyclopedia article. Ka-Ping Yee 00:27, 6 February 2007 (UTC)