Technology‎ > ‎

Extended Validation Certificate


The criteria for issuing EV certificates are defined by the Guidelines for Extended Validation Certificates, currently (as of Nov 2010) at version 1.3. The guidelines[1] are produced by the CA/Browser Forum, a voluntary organization whose members include leading CAs and vendors of Internet software, as well as representatives from the legal and audit professions.[2]
An Extended Validation Certificate in Mozilla Firefox.


What is Extended Validation?

Extended validation is the new standard of Web security. But how does it differ from traditional SSL certificates? You'll learn these differences and how EV SSL certificates benefit your organization — and, most importantly, your customers.




The highest level of assurance for Web security possible. Supported by the most complete validation process available, Entrust EV (Extended Validation) Multi-Domain SSL Certificates take advantage of the added visual cues in today's popular browsers, including the green address bar in Microsoft® Internet Explorer® (7 or newer), Mozilla Firefox (3 and newer), Opera and Google Chrome — a clear indicator to your customers that your website is secure.

Features&Benefits


Benefits

  • Cost-efficient method of securing servers in a multi-server environment
  • Extended validation provides customers with the highest degree of assurance for transactions with companies online
  • Multi-domain capabilities save time and money by securing up to 150 fully qualified domains with a single SSL certificate
  • Established browser trust prevents customers from seeing annoying trust dialogs, regardless of how they access the site
  • Unlimited issuance policy enables flexible certificate re-issuance when users lose passwords or re-image machines
  • Visually assures customers you take security seriously by displaying the Entrust site seal
  • Self-service certificate creation eliminates the wait for manual certificate issuance
  • Convenient expiry notifications lessen risk of inadvertent certificate expiration

Features

SHA-1 or SHA-2 signing capabilities
Option to sign your certificate with SHA-1 or SHA-2. CA's SHA-2 implementation represents the most current set of cryptographic hash functions and may be used with any CA digital certificate.

Secures from 2 to unlimited SANs (domains)

Entrust's EV Multi-Domain SSL certificate includes the capability to include 2 Subject Alt Names (SAN's/domains), and additional SAN's can be purchased, up to 50 in the online buy, or unlimited in a Certificate Management Service account.



Extended Validation

Site visitors see a green Web browser address bar and the organization details in the browser header indicating high security; they also can see your validated organization details in the SSL certificate. This offers a higher level of trust than Domain or Organization Validated certificates.



Available in lifetimes from 2 to 27 months

Entrust EV SSL certificates are available in the following lifetimes:
Singles account: 1,2 years
Non-pooling CMS account: 1,2 years
Pooling CMS account: can specify any expiry date to the day between 2 and 27 months.



Unlimited re-issues

Entrust offers unlimited re-issues for installation of configuration problems, loss of private keys or change in hosting providers or servers.



Unlimited server licenses

Entrust licenses you to install a certificate on an unlimited number of servers. This enables you to leverage a single certificate for purposes such as load balancing, or for pilot/test/production environments.



Quick Issuance

Single certificates purchased online: Entrust verification begins immediately based upon your certificate request, and your certificate is usually ready within 1-2 days.

Certificates issued through CMS: Certificates can be immediately issued, or can go through a requestor/approver process controlled by your organization, for pre-approved domains, resulting in quick issuance that doesn't rely on the service level of the certificate vendor.



Global trust

Entrust certificates are trusted by and compatible with all browsers (99%+) and mobile operating systems (95%+). This means that almost 100% of your site visitors will automatically trust your SSL certificate.



Available around-the-clock support

Silver support is included with any certificate purchase.

Platinum support, which offers 24/7/365 support, is available as an optional purchase to CMS customers



Warranty protection

Please refer to "Entrust Warranty" for details.



Expiry Notifications

Receive multiple expiry notifications by email to multiple parties in advance of certificate expiry, to ensure you are never caught with certificates expiring unexpectedly.



Available with Entrust Certificate Management Service

Entrust Wildcard SSL certificates are available with the enhanced management capabilities of the Entrust Certificate Management Service. See "Entrust Certificate Management Service" for more details.



Easy purchase

Easily purchase certificates online with a credit card or by speaking with an Entrust representative.



Free Site Seal Included

Entrust's trusted site seal features point-to-verify capabilities for simple confirmation of SSL certificate validity.



  • Supports browser-to-server and server-to-server connections
  • Supports 2048-bit keys and 128- or 256-bit SSL encryption

How to Buy

Before you submit your SSL request to Entrust, please ensure you have the following information:

  • Certificate Signing Request (CSR)

The Certificate Signing Request (CSR) is generated with your Web server software and contains both the public key portion of your Web server's key pair and the Distinguished Name (DN) of your Web server.

Please reference the Entrust EV Multi-Domain SSL Certificate Enrollment Guidefor further instructions on generating a CSR.

  • Domain is registered to your organization

The certificate issued by Entrust Certificate Services includes the Common Name of the customer's Web server (e.g., www.entrust.com). This Common Name identifies the Domain Name registered by an organization.

To determine the registered owner of the Domain Name, Entrust will look up the Domain Name in the appropriate WHOIS database. The registered owner of the domain must match the organization name verified by Entrust.

For more information, please see theEntrust EV Multi-Domain SSL Certificate Enrollment Guide.

  • A business phone number that can be found through a third-party directory
  • Billing, technical, authorization and corporate authority contact details
  • Higher Authority – This can be a corporate executive, legal counsel, etc. who will approve the identity of the Certificate Signing Authority, Certificate Approver and Requester.
  • Contract Signer – This is the person that can sign the subscription agreement on behalf of the company. This may be the same person as the Certificate Approver.
  • Certificate Approver – This is the person that provides the signed application certificate request, any additional certificate approver and authorizes the Certificate Requester. They also will provide confirmation for the ownership and exclusive rights to that domain name. In the current ECS system, this would be the Authorization Contact.
  • Certificate Requester – This is the person that is requesting the certificate. In the current ECS system, this would be the Technical Contact.

For more information, please see theEntrust EV Multi-Domain SSL Certificate Enrollment Guide.

  • Payment method (see below)
  • Back up of your private key

The generation of a Certificate Signing Request (CSR) also includes the generation of a Web server private key. It is essential to back up the private key as it directly corresponds with the SSL certificate you will receive from Entrust. The private key is a very sensitive piece of information so please take appropriate steps to ensure that only authorized personnel have access to the Web server's private key.

For documentation that outlines backing up a Web server private key, please visithttp://www.entrust.net/ssl-technical/webserver.cfm. For more information regarding general enrollment, please see the Entrust EV Multi-Domain SSL Certificate Enrollment Guide.

  • Business headquarters and incorporation information

Business Headquarters – Provide the FULL address of your business headquarters.

  • Street
  • City
  • State/Province
  • Country
  • ZIP/Postal Code
  • DUNS Number (optional)

Jurisdiction of Incorporation – If you are aware of your jurisdiction of incorporation information, please provide this information (these fields are NOT mandatory).

  • Registration Number
  • Incorporating Agency
  • Date of Incorporation
  • City/Town
  • State/Province
  • County

For additional inquires or assistance, please review the Entrust EV SSL Certificate Enrollment Guide.

Payment Information
Entrust accepts American Express®, Visa® and Master Card®. The credit card will not be debited until the SSL certificate has been issued. An online receipt is provided at the end of the payment process. Purchase orders will be accepted for orders of US $1,000 or more. Once a purchase order has been accepted by Entrust sales, customers will be provided with information on how to submit SSL certificate (EV) orders.

For further information about our digital SSL certificates or to place a purchase order, please call 1-888-690-2424 or contact us online.

Online Ordering & Support
If you are using a proxy server, you may experience problems when ordering online. For further information, please visit the Entrust EV Multi-Domain SSL Certificates FAQ or contact Entrust Certificate Services Support.



EV Multi-Domain SSL CertificateDescription

NewActivates green address bar and other visual security cues; extensive validation according to requirements issued byCA/Browser Forum

RenewCustomers who previously purchased Entrust EV Multi-Domain SSL Certificates can renew their certificates at a discounted price.



An Extended Validation Certificate (EV) is an X.509 public key certificate issued according to a specific set of identity verification criteria. These criteria require extensive verification of the requesting entity's identity by the certificate authority (CA) before a certificate is issued. Certificates issued by a CA under the EV guidelines are not structurally different from other certificates (and hence provide no stronger cryptography than other, cheaper certificates), but are designated with a CA-specific policy identifier so that EV-aware software can recognize them.


Contents [hide]
1 History
2 Motivation
3 Issuing criteria
4 User interface
5 Compatibility
5.1 Supported Mobile Device Browsers
6 Extended Validation certificate identification
7 Online Certificate Status Protocol
8 Criticism
8.1 Availability to small businesses
8.2 Effectiveness against phishing attacks
9 See also
10 References
11 External links

[edit]History

In 2005 Melih Abdulhayoglu convened the first meeting of the organization that became the CA/Browser Forum, hoping to improve standards for issuing SSL certificates.[3] On June 12, 2007, the CA/Browser Forum officially ratified the first version of the Extended Validation (EV) SSL Guidelines, which took effect immediately. The formal approval successfully brought to a close more than two years of effort, and provided the infrastructure for trusted Web site identity on the Internet. Then, in April 2008, the Forum announced version 1.1 of the Guidelines, building on the practical experience of its member CAs and Relying-Party Application Software Suppliers gained in the months since the first version was approved for use.
[edit]Motivation

An important motivation for using digital certificates with SSL was to add trust to online transactions by requiring website operators to undergo vetting with a certificate authority (CA) in order to get an SSL certificate. However, commercial pressures have led some CAs to introduce "domain validation only" SSL certificates for which minimal verification is performed of the details in the certificate.

Most browsers' user interfaces did not clearly differentiate between low-validation certificates and those that have undergone more rigorous vetting. Since any successful SSL connection causes the padlock icon to appear, users are not likely to be aware of whether the website owner has been validated or not. As a result, fraudsters (including phishing websites) have started to use SSL to add perceived credibility to their websites.

By establishing stricter issuing criteria and requiring consistent application of those criteria by all participating CAs, EV SSL certificates are intended to restore confidence among users that a website operator is a legally established business or organization with a verifiable identity.

That said, there is still the concern that the same lack of accountability that led to the loss of public confidence in ordinary certificates, will lead to lax certification practices that will deteriorate the value of EV certificates as well.[4]
[edit]Issuing criteria

Only CAs who pass an independent audit as part of their WebTrust (or equivalent) review may offer EV, and all CAs globally must follow the same detailed issuance requirements which aim to:
Establish the legal identity as well as the operational and physical presence of website owner;
Establish that the applicant is the domain name owner or has exclusive control over the domain name; and
Confirm the identity and authority of the individuals acting for the website owner, and that documents pertaining to legal obligations are signed by an authorised officer.
[edit]User interface

Browsers with EV support display more information for EV certificates than for previous SSL certificates. Microsoft Internet Explorer 7, Mozilla Firefox 3.5, Safari 3.2, Opera 9.5, and Google Chrome all provide EV support.

The Extended Validation guidelines require participating Certificate Authorities to assign a specific EV identifier, which is registered with the browser vendors who support EV once the Certificate Authority has completed an independent audit and met other criteria. The browser matches the EV identifier in the SSL certificate with the one it has registered for the CA in question: if they match, and the certificate is verified as current, the SSL certificate receives the enhanced EV display in the browser's user interface. In most implementations, the enhanced display includes:
The name of the company or entity that owns the certificate.
The name of the SSL Certificate Authority (CA) that issued the EV certificate.
A distinctive color, usually green, shown in the address bar to indicate that a valid EV certificate was received.
[edit]Compatibility

Most of the Extended Validation SSL Certificates are compatible with the following browsers:[citation needed]
Google Chrome
IE 5.01+
AOL 5+
Netscape 4.7+
Opera 7+
Safari
Mozilla 1+
Firefox 1+
Konqeror
[edit]Supported Mobile Device Browsers
Microsoft Pocket Internet Explorer
Palm / Handspring Blazer 2.0+
Blackberry
AT&T
Netfront 3.0+
Safari for iOS (iPhone 3GS and later)

Extended Validation supports all current releases of commercial and freeware web servers supporting SSL v.3. Supported servers include:
Apache + mod_ssl Lotus Domino Go 4.6.2.6 and higher
Apache + Raven Lotus Domino 4.6 and higher
Apache + Raven 1.5x Microsoft Internet Information Server 4.0
Apache + SSLeay Microsoft Internet Information Server 5.0
BEA WebLogic Netscape Enterprise/Fast Track
C2Net Stronghold O'Reilly WebSite Professional 2.X
Cobalt RaQ3/RaQ4 "Main Site" Stronghold 3
Cobalt RaQ3 "Virtual Site" WebSTAR 4
Cobalt RaQ4 "Virtual Site" WebSTAR V
IBM HTTP Zeus Web Server v3
iPlanet Enterprise Server 4.1

[edit]Extended Validation certificate identification

EV certificates are standard x.509 digital certificates. The primary way to identify an EV certificate is by referencing the Certificate Policies extension field. Each issuer uses a different object identifier (OID) in this field to identify their EV certificates, and each OID is documented in the issuer's Certification Practice Statement. As with root certificate authorities in general, browsers may not recognize all issuers.
IssuerOIDCertification Practice Statement
Buypass 2.16.578.1.26.1.3.3 Buypass Class 3 EV CPS, p. 10
Comodo 1.3.6.1.4.1.6449.1.2.1.5.1 Comodo EV CPS, p. 28
Cybertrust 1.3.6.1.4.1.6334.1.100.1 Cybertrust CPS v.5.2, p. 20
DigiCert 2.16.840.1.114412.2.1 DigiCert EV CPS v. 1.0.3, p. 56
DigiNotar 2.16.528.1.1001.1.1.1.12.6.1.1.1 DigiNotar CPS v 3.5, p. 2
Entrust 2.16.840.1.114028.10.1.2 Entrust EV CPS, p. 37
GeoTrust 1.3.6.1.4.1.14370.1.6 GeoTrust EV CPS v. 2.6, p. 28
GlobalSign 1.3.6.1.4.1.4146.1.1 GlobalSign EV CPS v. 6.5, p. 24
Go Daddy 2.16.840.1.114413.1.7.23.3 Go Daddy EV CPS v. 2.0, p. 42
Izenpe 1.3.6.1.4.1.14777.6.1.1
1.3.6.1.4.1.14777.6.1.2 DOCUMENTACIÓN ESPECÍFICA PARA EL CERTIFICADO DE SERVIDOR SEGURO SSL EV, p. 5
DOCUMENTACIÓN ESPECÍFICA PARA EL CERTIFICADO DE SEDE ELECTRÓNICA EV, p. 5
Keynectis 1.3.6.1.4.1.22234.2.5.2.3.1 KEYNECTIS EV CA CPS v 0.3, p. 10
Network Solutions 1.3.6.1.4.1.782.1.2.1.8.1 Network Solutions EV CPS v. 1.1, 2.4.1
QuoVadis 1.3.6.1.4.1.8024.0.2.100.1.2 QuoVadis Root CA2 CP/CPS, p. 34
SECOM Trust Systems 1.2.392.200091.100.721.1 SECOM Trust Systems EV CPS (in Japanese), p. 2
Starfield Technologies 2.16.840.1.114414.1.7.23.3 Starfield EV CPS v. 2.0, p. 42
StartCom Certification Authority 1.3.6.1.4.1.23223.2
1.3.6.1.4.1.23223.1.1.1 StartCom CPS, no. 4
SwissSign 2.16.756.1.89.1.2.1.1 SwissSign Gold CA-G2 CP/CPS, p. 7
Thawte 2.16.840.1.113733.1.7.48.1 Thawte EV CPS v. 3.3, p. 95
Trustwave* 2.16.840.1.114404.1.1.2.4.1 SecureTrust EV CPS v1.1.1, p. 5
VeriSign 2.16.840.1.113733.1.7.23.6 VeriSign EV CPS v. 3.3, p. 87
Wells Fargo 2.16.840.1.114171.500.9 WellsSecure PKI CPS v. 12.1.2, p. 14


* "XRamp Security Services, Inc.", successor to SecureTrust corporation a wholly owned subsidiary of Trustwave Holdings,Inc. ("Trustwave")
[edit]Online Certificate Status Protocol

The criteria for issuing Extended Validation certificates do not require issuing Certificate Authorities to immediately support Online Certificate Status Protocol for revocation checking. However, the requirement for a timely response to revocation checks by the browser has prompted most Certificate Authorities that had not previously done so to implement OCSP support. Section 26-A of the issuing criteria requires CAs to support OCSP checking for all certificates issued after Dec. 31, 2010.
[edit]Criticism
[edit]Availability to small businesses

Since EV certificates are being promoted and reported[5] as a mark of a trustworthy website, some small business owners have voiced concerns[6] that EV certificates give undue advantage to large businesses. The published drafts of the EV Guidelinesexcluded unincorporated business entities, and early media reports[6] focused on that issue. Version 1.0 of the EV Guidelines was revised to embrace unincorporated associations as long as they were registered with a recognized agency, greatly expanding the number of organizations that qualified for an Extended Validation Certificate.
[edit]Effectiveness against phishing attacks

In 2006, researchers at Stanford University and Microsoft Research conducted a usability study[7] of the EV display in Internet Explorer 7. Their paper concluded that "participants who received no training in browser security features did not notice the extended validation indicator and did not outperform the control group", whereas "participants who were asked to read the Internet Explorer help file were more likely to classify both real and fake sites as legitimate".
[edit]See also
Transport Layer Security (TLS)
Certificate authority
Comparison of SSL certificates for web servers
Comments