Intro
Extended Validation, or EV, Certificates are SSL certificates issued under the CA/Browser Forum guidelines.
They are standard x.509 certificates, with the added benefit that the identity information contained within them (organization name, location, etc) has gone through a rigorous and standardized vetting process to reduce the risk of fraud.
Johnath's 5 Minute Summary - Talk Notes
Why EV?
- Old system is balkanized
- Browser vendors didn't like having to assume the lowest common denominator
- Well-behaved CAs didn't like having to explain why customers should pay more for stronger vetting, for the same net visual treatment
So then, CAs are stoopid
- Sure, maybe. Some of them are definitely ill behaved
- But we have blame here too - browser vendors didn't jump up and yank roots when ownership changed hands, or when we saw roots misbehaving
- There were also liability issues up front, if we started specifying how things ought to be vetted, and holding the CAs to account, we could also potentially be held accountable for failures
So, much as we got to EV by distasteful means, here we are
- Version 1 passed unanimously this week (June 12), after 2.5 years of heated discussion.
- That includes yes votes from microsoft, mozilla, opera, and kde
- It specifies in substantial detail what information is required to verify identity, and how that information is to be cross-checked, and how that information should be encoded in an x.509 cert.
- IT DOES NOT SPECIFY UI TREATMENTS. It's a product of a consortium of CAs trying to level the playing field and make money doing so, let's be real. But we browsers will implement it and emphasize it only to the extent that it helps our users make better decisions.
- IT IS NOT SECURITY. This group knows the difference between identity and security, but it's worth re-iterating that the EV guidelines do not lay out much at all in the way of confirming that your business or government entity is run by nice people doing nice things.
IT IS NOT BULLETPROOF. There's good sport to be had imagining ways to hack the guidelines by bribing notaries and such. But it's much better than what we have with $20 GoDaddy certs right now, and it's consistent.
Why should this workgroup care?
- Because EV is real, and because the quality of the information they contain is higher than we've been able to assume before
- Because EV has broad commitment towards some level of implementation in the major browsers, so recommendations which rely on it will have a higher probability of implementability than those which rely on new or under-development technologies.
- Because while it's fun to roll your eyes and say "EV is not the solution to all problems" -- and that's true -- having something strong to hang identity information off of allows us to make a lot of things better. It also argues against us burning too much time trying to invent new ways of identifying sites.