Improving SSL: Extended Validation (EV) SSL Certificates Coming in January

re: Improving SSL: Extended Validation (EV) SSL Certificates Coming in January

TMaster — Wed, 08 Nov 2006 00:03:45 GMT

Heh, of course the industry response has been very strong, if you'd be selling hot air, you'd be excited as well ;-)

Seriously though, I think this is a nice improvement - as long as users make sure to Check the Green.

And don't forget KDE is not a browser - it's a Desktop Environment. Konqueror is the browser that is nicely integrated with KDE, the K Desktop Environment.

*can't wait for development on IE8 to start ;-)*

re: Improving SSL: Extended Validation (EV) SSL Certificates Coming in January

Mike Beltzner — Wed, 08 Nov 2006 00:16:37 GMT

I'm not sure that "strong improvement" is the right way to characterize the response to Draft 11, which was not approved as version 1.0 of the guidelines.

There are several concerning aspects to Draft 11, especially around who is currently allowed to obtain EV certificates. Creating a new tier of "high assurance" certificates and then limiting the availability (see Section 5a and 5d) to incorporated associations and partnerships strikes me as extremely problematic.

I believe that some form of identity assurance for websites is required, and am very interested in determining how to create that assurance in way that is open and accessible to all citizens of the web, and hope that Draft 12 addresses these concerns.

re: Improving SSL: Extended Validation (EV) SSL Certificates Coming in January

kL — Wed, 08 Nov 2006 00:21:08 GMT

To me it looks just like what Opera does for a year now. How's that different than Opera's implementation (using OCSP)?

Don't focus on the green bar, focus on Draft 11

Mike Beltzner — Wed, 08 Nov 2006 00:26:34 GMT

I would encourage readers (and commenters) like kL not to focus on the browser's specific rendering of the presence/absence of EV certificates. That's a question for the browser vendors to address, and I'd hope that (like we did with the lock) we come up with a consistent metaphor across browsers to ensure that users can build a mental model of security-on-the-web.

Instead, please focus on what Kelvin is actually talking about here, which are the guidelines around how EV certs are awarded to entities and the processes and procedures used to provide "high assurance" that the cert-holder is who they claim to be, as well as the processes for repudiation and the repealing of these certificates if/when problems arise. That's the meat of the proposal before our community, and it needs the wisdom of your eyes!

re: Improving SSL: Extended Validation (EV) SSL Certificates Coming in January

EricLaw [MSFT] — Wed, 08 Nov 2006 01:39:14 GMT

@KL: Opera9 displays information from the certificate, but it doesn't have any awareness of what data in the certificate had been validated by the CA, or how that validation was done. EV guidelines will help remove this ambiguity.

re: No awareness?

AdrianS — Wed, 08 Nov 2006 03:10:00 GMT

Not sure what you mean by "does not have awareness"? Surely the CA has validated the entity name and domain - otherwise they have no business being a CA!

I would argue that we don't need EV at all just better policies for CAs. If a CA is not up to its job, just revoke the CA's licence.

This is similar to the kernel signing for Vista - how is a CA "more trusted" than another? How is a certificate "more trusted" than another? Why not just trusted or not trusted?

I do want to thank you for including more CAs than just MS's buddy Verisign... Now if you could "fix" WinQual many developers would get their Christmas/New Year presents early ;)

Adrian

re: Improving SSL: Extended Validation (EV) SSL Certificates Coming in January

Tester — Wed, 08 Nov 2006 10:59:38 GMT

The idea that MS could simply kill off a CA at their own initiative without getting sued is unforrtunately hopelessly naïve. Without a defined criteria for what constitutes "acceptable" validation, there's no grounds to revoke anyone.

re: Improving SSL: Extended Validation (EV) SSL Certificates Coming in January

Tester — Wed, 08 Nov 2006 10:59:54 GMT

re: Improving SSL: Extended Validation (EV) SSL Certificates Coming in January

Wolf — Wed, 08 Nov 2006 11:59:01 GMT

Does that work with XP, too, or only with Vista? I had a problem testing it with XP although I had installed the testing root certificate of Microsoft.

re: Improving SSL: Extended Validation (EV) SSL Certificates Coming in January

Petr — Wed, 08 Nov 2006 12:46:49 GMT

No doubt that CAs do not validate the certificate requests properly. This wrong careless behavior should be correctd and not to add new, more expensive "EV" certificates.

Were there any real cases with not properly validated certificates or the whole problem is just theoretical?

re: Improving SSL: Extended Validation (EV) SSL Certificates Coming in January

goose — Wed, 08 Nov 2006 13:50:06 GMT

I have always been confused and asking "who gave me this certificate!?!!" Now IE7 will save me and the web in general. I love EV SSL!!

I think it's good how you don't mention your main competitor, Mozilla Foundation, and instead mention Opera and KDE.

I look forward to getting a certificate from Woodcove Tank in IE and of course knowing it's fake like millions of Average Joes out there surely will! I think IE7 is brilliant! I also like the green.

It's superb how we don't have to upgrade to Vista for this. Microsoft are great to offer this for free next year! But of course it's recommended to update because we will all be better off when we drop XP; years of updating behind the scenes must make me safer!

re: Improving SSL: Extended Validation (EV) SSL Certificates Coming in January

Duane — Wed, 08 Nov 2006 14:59:21 GMT

Of late Verisign has been heavily pushing a new initiative for extended verification certificates, going so far as being on record criticising Mozilla for not keeping up with security innovations that Microsoft has already implemented, to give this some context, EV certificates are similar to the Class 3 certificates CAcert issues, minus the huge price tag.

While we applaud the effort to unify procedures and processes CAs employ we feel things have been heavily slanted towards commercial certificate authorities so much so that it seems to be more about keeping a strangle hold on the market and the price tag that comes with it then any actual improvements with security that end users might enjoy.

As a result, there is a number of flawed assumptions being pushed that can only be seen as helping out Verisign’s bottom line, not helping out end users, and while I can understand Microsoft’s motivations for accepting Verisign’s recommendations so openly, one must start to question Mozilla’s motives for even contemplating doing the same.

Now, if this was to truly help out users, surely we would hope for wide spread adoption, but this won’t be the case, even Verisign has expectations that 99% of sites will stick with the status quo. This becomes even more interesting when you take into account how this will be or is implemented in browsers.

Currently Firefox turns the URL bar yellow when the site is secured with SSL, with EV certificates the URL bar will turn green, this is supposed to indicate that the site is great and super and should be implicitly trusted, but if most sites are yellow users will tend to associate yellow as being just as good as green. We’ve seen this behaviour in the past with people simply clicking through any popups, which occur far too regularly and people only end up clicking without even reading them.

CAcert was aware at the time of discussions that occurred between most/all browser vendors and some certificate authorities, however when we asked to participate our requests largely fell on deaf ears.

The bigger problem here is with the Mozilla Foundation itself, well over a year ago, there was university trained researchers falling over themselves to help out the mozilla foundation, they had conducted real studies into how to improve the browser experience and way to help users to detect fraudulent websites. The Mozilla Foundation basically snubbed the researchers and their efforts at creating proof of concepts in the hope of having their research utilised for the benefit of everyone.

The research has since been incorporated in tool bars by HP and others for Internet Explorer.

It makes you wonder how much research Verisign and others have completed to back up their claims that this will help users?

This is yet another example of people being told what they need to be safe, when it’s most likely not going to do anything except convince businesses to spend more money with Verisign, so again I’m left wondering why the Mozilla Foundation is entertaining this current push by Verisign to lock out competitors, and has little or no benefit for users and businesses in general, even though helping users is the excuse being used as why this is needed.

re: Improving SSL: Extended Validation (EV) SSL Certificates Coming in January

Mike Beltzner — Wed, 08 Nov 2006 19:14:50 GMT

Duane, you realize this is the IE7 blog, right? Mozilla actually abstained from the vote to accept Draft 11, although we continue to participate in the CA/Browser forum since we recognize the existing problems and limitations with certificates, and are interested in exploring sensible solutions.

Not speaking for Mozilla, but speaking personally, I think that there's promise in EV/HA Certificates, but I don't think that Draft 11 is quite there yet, and am pretty concerned about a lot of the broader claims being made by its proponents. I also think we should be separating EV Certificates, The Technology and How Browsers Display EV Certificate Presence/Absence.

(also, above, where I said "I'm not sure that "strong improvement" is the right way to characterize the response to Draft 11", I meant to write "I'm not sure that "strong SUPPORT" is the right way ..."

re: Improving SSL: Extended Validation (EV) SSL Certificates Coming in January

Max Battcher — Wed, 08 Nov 2006 21:46:59 GMT

I have to agree with the sentiments that this seems like a huge bilk for anyone in the market for certificates by adding an additional tier to an already artificial tier system. Let's be honest that SSL Certificate costs are already inflated well beyond any actual expense costs, with the only excuse being validation requirements. EV appears to give CAs the excuse to lower the bar for their standard practices for existing certificates without lowering cost. I highly doubt that someone that makes so much money on their certificates, and already alleges to follow the practices asked by EV, like Verisign, would offer EV as standard practice with no additional cost, but I'd love to be proven wrong.

In the end, I'm worried that should the "added assurance" of that green bar in IE catch on in public opinion small businesses will have even more costs to eat to maintain their own web presence. The barrier to entry for that "green bar" becomes a further obstacle in a small business, in attempting to grow, gaining public trust. SSL Certificates are the equivalent of a tax on internet business and I'm wondering if CA Forum is at all representing the small business needs rather than CA bottom lines and absurd profit margins.

Sorry for turning this into a CA rant, but I'm just jealous that I don't own a CA company.

re: Improving SSL: Extended Validation (EV) SSL Certificates Coming in January

Duane — Thu, 09 Nov 2006 01:18:45 GMT

Yes I realise this is an IE blog, however I had something pre-written that concerned both parties, however my sentiment is the same regardles, this isn't going to help end users, this isn't going to be widely accepted and Verisign and others have estimated the cost to be something like 150% more then current certificates cost (or about $2000-$2500 per year)... Now what small business can afford that?

re: Improving SSL: Extended Validation (EV) SSL Certificates Coming in January

Thinker — Thu, 09 Nov 2006 13:48:52 GMT

Duane-- Either cite your sources, or expect that your "estimates" are ignored for the fiction that they are.

re: Improving SSL: Extended Validation (EV) SSL Certificates Coming in January

Duane — Thu, 09 Nov 2006 15:30:20 GMT

While some are in damage control trying to discredit the article, it was straight from the horses mouth http://www.theregister.co.uk/2006/10/25/verisign_extended_validation/

re: Improving SSL: Extended Validation (EV) SSL Certificates Coming in January

Duane — Thu, 09 Nov 2006 15:31:08 GMT

While some are in damage control trying to discredit the article, it was straight from the horses mouth http://www.theregister.co.uk/2006/10/25/verisign_extended_validation/

re: Improving SSL: Extended Validation (EV) SSL Certificates Coming in January

Duane — Thu, 09 Nov 2006 15:33:37 GMT

While some are in damage control trying to discredit the article, it was straight from the horses mouth www.theregister.co.uk/2006/10/25/verisign_extended_validation/

re: Improving SSL: Extended Validation (EV) SSL Certificates Coming in January

Duane — Thu, 09 Nov 2006 15:34:47 GMT

While some are in damage control trying to discredit the article, it was straight from the horses mouth www.theregister.co.uk/2006/10/25/verisign_extended_validation/

re: Improving SSL: Extended Validation (EV) SSL Certificates Coming in January

Duane — Thu, 09 Nov 2006 15:37:53 GMT

Hmmmm, I didn't mean to post multiple times but I was getting there was a bug and admins have been notified and nothing was showing up...

re: Improving SSL: Extended Validation (EV) SSL Certificates Coming in January

wng_z3r0 — Fri, 10 Nov 2006 08:18:23 GMT

I think it's a good idea :)

~wng_z3r0

Microsoft MVP security

re: Improving SSL: Extended Validation (EV) SSL Certificates Coming in January

xfile — Tue, 14 Nov 2006 05:26:42 GMT

Dear all,

Enough is enough!!

http://news.com.com/With+IE+7%2C+green+means+go+for+legit+sites/2100-1029-6134647.html?part=dht&tag=nl.e703

In addition to the usability issues of the browser, IE 7 soon will provide

misleading and false information about smaller sites that don't have EV SSL

certificate (which is expensive and currently available only for large

corporations) installed as a possible "phishing" site.

It has done it again - using a sound reason for stupid moves, and this time,

it will put thousands and thousands of small businesses out of business.

If your site does not have EV SSL certificate installed, IE could give false

and misleading information to your visitors that you site is NOT a

legitimate site.

I will now remove IE 7 from all of my systems and officially boycott IE 7

including the Vista which is using IE 7!!

How I'll Judge IE7 Security

IEBlog — Wed, 15 Nov 2006 02:46:11 GMT

As an engineer, I’m proud of the protections we delivered by finishing IE7 but I want to set your expectations

Extended Validation (EV) SSL and Small Businesses

IEBlog — Thu, 21 Dec 2006 22:00:43 GMT

I’m Markellos Diorinos, and I am a product manager with the Internet Explorer team. Yesterday I read

IE7 at RSA San Francisco

IEBlog — Tue, 06 Feb 2007 21:10:12 GMT

Back in November, we announced our intention to bring Extended Validation SSL Certificates to IE7 . This

The war on the new EV SSL Cerfiticates has begun

TrustDefender Blog — Thu, 08 Feb 2007 04:07:06 GMT

Entrust announced that they upgrade Non-EV Verisign SSL Certificates to Entrust EV Certificates for the same price they are paying for Non-EV Certificates.According to the Website this would be only $399 USD per year instead of $1499 USD per year.I do

931125 - Stammzertifikatsupdate (V11) - 27.02.07

patch-info.de — Tue, 27 Feb 2007 23:42:43 GMT

Kurzbeschreibung: Optionales Update, das die Liste der Stammzertifikate auf dem Computer auf die neueste Liste aktualisiert, die von Microsoft im Rahmen des Microsoft-Programms fr Stammzertifikate akzeptiert wird. Durch Hinzufgen zustzlicher Stammzert

931125 - Stammzertifikatsupdate (V12) - 26.06.07

patch-info.de — Sat, 30 Jun 2007 21:50:48 GMT

Kurzbeschreibung: Optionales Update, das die Liste der Stammzertifikate auf dem Computer auf die neueste Liste aktualisiert, die von Microsoft im Rahmen des Microsoft-Programms für Stammzertifikate akzeptiert wird. Durch Hinzufügen zusätzlicher Stammzert

931125 - Stammzertifikatsupdate (V13) - 24.07.07

patch-info.de — Tue, 24 Jul 2007 21:19:18 GMT

Kurzbeschreibung: Optionales Update, das die Liste der Stammzertifikate auf dem Computer auf die neueste Liste aktualisiert, die von Microsoft im Rahmen des Microsoft-Programms für Stammzertifikate akzeptiert wird. Durch Hinzufügen zusätzlicher Stammzert

Learn The 3 Secrets To Cure Acid Reflux

Learn The 3 Secrets To Cure Acid Reflux — Wed, 19 Sep 2007 14:45:35 GMT

If you suffer from Acid Reflux, then I would highly recommend visiting this excellent website, some of the tips helped me cure my Acid Reflux within a week.

931125 - Stammzertifikatsupdate (V14) - 25.09.07

patch-info.de — Sat, 29 Sep 2007 11:11:50 GMT

Kurzbeschreibung: Optionales Update, das die Liste der Stammzertifikate auf dem Computer auf die neueste Liste aktualisiert, die von Microsoft im Rahmen des Microsoft-Programms für Stammzertifikate akzeptiert wird. Durch Hinzufügen zusätzlicher Stammzert

The 5 Critical Steps To be Acid Reflux Free

The 5 Critical Steps To be Acid Reflux Free — Thu, 04 Oct 2007 17:23:29 GMT

A friend just showed me this brilliant Heartburn and Acid reflux website that gives you great tips

931125 - Stammzertifikatsupdate (V16) - 22.01.08

patch-info.de — Wed, 23 Jan 2008 10:59:23 GMT

Kurzbeschreibung: Optionales Update, das die Liste der Stammzertifikate auf dem Computer auf die neueste Liste aktualisiert, die von Microsoft im Rahmen des Microsoft-Programms für Stammzertifikate akzeptiert wird. Durch Hinzufügen zusätzlicher Stammze

Address Bar Improvements in Internet Explorer 8 Beta 1

IEBlog — Tue, 11 Mar 2008 20:06:02 GMT

Hey everyone, Christopher here. It’s been a while since I’ve blogged anything here (over a year in fact).

Address Bar Improvements in Internet Explorer 8 Beta 1

Noticias externas — Tue, 11 Mar 2008 20:27:49 GMT

Hey everyone, Christopher here. It’s been a while since I’ve blogged anything here (over a year in fact

931125 - Stammzertifikatsupdate (V17) - 27.05.08

patch-info.de — Tue, 27 May 2008 20:18:50 GMT

Kurzbeschreibung: Optionales Update, das die Liste der Stammzertifikate auf dem Computer auf die neueste Liste aktualisiert, die von Microsoft im Rahmen des Microsoft-Programms für Stammzertifikate akzeptiert wird. Durch Hinzufügen zusätzlicher Stammze

IE8 and Trustworthy Browsing

IEBlog — Wed, 25 Jun 2008 03:40:25 GMT

This blog post frames our approach in IE8 for delivering trustworthy browsing. The topic is complicated

IE8 Security Part III: SmartScreen® Filter

IEBlog — Wed, 02 Jul 2008 19:01:45 GMT

As someone whose email address is posted in thousands of forum posts, newsgroup discussions, and blogs,

931125 - Stammzertifikatsupdate (V18) - 23.09.08

patch-info.de — Tue, 23 Sep 2008 11:11:24 GMT

Kurzbeschreibung: Optionales Update, das die Liste der Stammzertifikate auf dem Computer auf die neueste Liste aktualisiert, die von Microsoft im Rahmen des Microsoft-Programms für Stammzertifikate akzeptiert wird. Durch Hinzufügen zusätzlicher Stammze

931125 - Stammzertifikatsupdate (V19) - 25.11.08

patch-info.de — Tue, 25 Nov 2008 12:11:36 GMT

Kurzbeschreibung: Optionales Update, das die Liste der Stammzertifikate auf dem Computer auf die neueste Liste aktualisiert, die von Microsoft im Rahmen des Microsoft-Programms für Stammzertifikate akzeptiert wird. Durch Hinzufügen zusätzlicher Stammze

931125 - Stammzertifikatsupdate (V20) - 24.02.09

patch-info.de — Tue, 24 Feb 2009 15:38:03 GMT

Kurzbeschreibung: Optionales Update, das die Liste der Stammzertifikate auf dem Computer auf die neueste Liste aktualisiert, die von Microsoft im Rahmen des Microsoft-Programms für Stammzertifikate akzeptiert wird. Durch Hinzufügen zusätzlicher Stammze

IE8 보안 5부 : 통합 보호

IE8 팀 블로그 — Tue, 17 Mar 2009 11:53:00 GMT

    안녕하세요! 저는 인터넷 익스플로러 보안 프로그램의 책임자인 에릭 로렌스라고 합니다. 지난 화요일, 딘(Dean)이 신뢰성 높은 브라우저 에 대한 저희의 생각을

931125 - Stammzertifikatsupdate (V21) - 26.05.09

patch-info.de — Tue, 26 May 2009 10:25:52 GMT

Kurzbeschreibung: Optionales Update, das die Liste der Stammzertifikate auf dem Computer auf die neueste Liste aktualisiert, die von Microsoft im Rahmen des Microsoft-Programms für Stammzertifikate akzeptiert wird. Durch Hinzufügen zusätzlicher Stammze