Title

Extended Validation Certificates (EV)

Goals

EV addresses the following goals:

Overview

In pre-EV browsers the only visible cue indicating the security status to the user is the presence or absence of the padlock icon. Moreover the semantics of the padlock icon are confused, users are encouraged to believe that the padlock icon tells them that a site is trustworthy, the actual semantics are merely that communication to the site is encrypted.

EV is designed to provide the user with a clearly visible indication of accountability of both the certificate subject and the certificate issuer. While accountability does not guarantee trustworthiness of the subject it is a good control.

In order to become an approved issuer of EV certificates an issuer must be in compliance with the CABForum minimum critera, as demonstrated by a WebTrust audit of the certification practices. Presentation of the Issuer identity within the EV user experience ensures accountability of the certificate issuer above and beyond the minimum criteria.

The EV certificate issue criteria do not by themselves imply or require any special processing by browsers, rather they enable special processing to be performed by providing an accountable source of data that the browser may rely on as being authoritative for the purpose of supporting an enhanced user experience.

Browsers should implement an enhanced EV experience for SSL and for code downloads.

Applicability

The use of EV certificates is applicable to any Web user agent that supports SSL or TLS.

Requirement and Best Practice

Web user agents MUSTrequire credentials that establish accountability of the credential subject whenever a representation of enhanced security is made to the user.

Web user agents SHOULD allow a user to disqualify a X.509 root of trust for the purpose of recognizing EV certs.

Web user agents SHOULD NOT allow a user to qualify a X.509 root of trust that is not otherwise qualified for the purpose of recognizing EV certs.

Techniques

A certificate issuer distinguishes a certificate authenticated according to EV criteria by means of an issuer specific extension OID.

Proivders of Web user agents MUST implement a mechanism for securely identifying and managing X.509 certificate chains that are considered trustworthy for the purpose of making a representation of enhanced security to the user.

Dependencies

EV depends upon the SSL server certificate chain information and in particular the presence of a certificate issuer specific certificate policy extension OID.

Examples (informational)

Use-cases

Use Cases 1, 2, 3, 4

In these use cases Alice is visiting her bank's Web site using URLs presented in a variety of modes (typed in, bookmark, etc.). In each case the intended interaction is that Alice recognizes the enhanced EV security experience as the primary cue to tell her that the site she is visiting is trustworthy.

Use Cases 5, 6

In this use cases Doyle is presented with a bogus site on his first attempt to contact the site. EV allows Doyle to recognize that the site he is visiting has not established itself as trustworthy according to the EV criteria.

Use case 7

In this use case Frank is presented with a pop-up screen that is not directly associated with the content he is visiting, effectively 'free riding' on the trustworthiness of that site.

Ideally an enhanced EV code authentication mechanism would alert Frank to the fact that he is being asked to download and run code that is not trustworthy.

Use case 8, 9

Here EV is intended to allow Betty top differentiate sites which she should trust to enter her credentials from those where she should not.

Attack resistance and limitations

An authentication procedure is only as good as the credentials that are relied on for authentication. An attacker may obtain fraudulent credentials by incorporating a straw company. The EV process is designed to increase the risk of this approach by requiring the applicants to provide information that creates a significant chance of apprehension and to limit the potential benefit to the attacker through prompt revocation. The risk of fraudulent applications is mitigated but not eliminated.

Expected User behavior

The expected user behavior is dependent on the level of user experience of the enhanced EV display.

A user who has no previous experience of an enhanced EV display is intended to find that the EV user experience makes it more obvious that they are visiting an accountable and hence more trustworthy site.

A user who has extensive experience with EV is intended to expect the presence of the EUV user experience whenever they engage in a Web transaction requiring a high level of trustworthiness.

Disruption

The level of disruption caused by the EV experience depends on the implementation. Current implementations are considerably more obvious than the previous padlock user experience but do not use pop-ups or other intrusive elements.

Accessibility

Since EV does not mandate a particular user experience there are no accountability concerns that are specific to EV.

References