Improving SSL: Extended Validation (EV) SSL Certificates Coming in January


Hi, I’m Kelvin Yiu, a program manager with the Windows Crypto team, and I’m very excited to be posting today on the IE blog, announcing plans to make Extended Validation (EV) SSL Certificates available in January 2007.

For over a year, we’ve been working on shaping the form of the next generation SSL (Secure Socket Layer) Certificates, so that they not only provide encryption but also a standard for identity on the Internet. For that purpose we teamed up with many Certification Authorities (CAs) and Internet Browsers to create the CA/Browser forum, tasked with the creation of these next-generation Certificates, called EV SSL Certificates.

The CA/Browser forum has provided a great service, and has helped evolve the EV SSL guidelines to their current Draft 11. We feel very strongly that the current version of the EV SSL guidelines provides tremendous value to help protect consumers from phishing, while maintaining compatibility with existing browsers.

Recently, we invited all the members of the CA/Browser forum to join us in supporting EV SSL Certificates based on the current guidelines, and at this time I wish to extend the invitation to all CAs interested in participating. The industry response has been very strong, and many CAs such as Verisign (including Thawte and GeoTrust), CyberTrust, Entrust, GoDaddy, QuoVadis, XRamp, SecureTrust and DigiCert have already expressed their intention to support EV Certificates now, while other CAs such as Wells Fargo have expressed strong support for our efforts to drive EV Draft 11 forward. Browsers, such as KDE and Opera, are also planning to add support for EV Draft 11 in future versions of their software.

Starting at the end of January 2007, we will make the necessary updates to Windows, so that IE7 will recognize EV Certificates and modify the display accordingly (with a green background for the address bar, as well as embedded identify info, as shown in Figures 1 and 2, from Rob’s earlier post). This will mean that businesses can now assertively establish their online identity and make it visible to consumers who transact with them. Additionally, consumers will now have a new level of trust in their online transactions, because visible feedback on the identity of the business they are transacting with is readily available.

Fig 1: IE7 address bar for a site with a Extended Validation SSL certificate
(showing the identity of the site from the SSL certificate)

IE7 address bar for a site with a Extended Validation SSL certificate<br />
(showing the identity of the site from the SSL certificate)

Fig 2: IE7 address bar for a site with a Extended Validation SSL certificate
(alternating in the name of the Certification Authority who identified the site)

IE7 address bar for a site with a Extended Validation SSL certificate(alternating in the name of the Certification Authority who identified the site)

We do not expect EV SSL Certificates to eradicate the phishing problem, but we are convinced that it is a significant step forward in protecting consumers. EV SSL Certificates provide tremendous value to Internet users today, and the industry will keep evolving the guidelines to keep pace with the changing Internet landscape.

Kelvin Yiu (with help from Rob Franco and Tom Albertson)
Program Manager
Microsoft representative to CA/Browser Forum

Comments (44)

  1. TMaster says:

    Heh, of course the industry response has been very strong, if you’d be selling hot air, you’d be excited as well ๐Ÿ˜‰

    Seriously though, I think this is a nice improvement – as long as users make sure to Check the Green.

    And don’t forget KDE is not a browser – it’s a Desktop Environment. Konqueror is the browser that is nicely integrated with KDE, the K Desktop Environment.

    *can’t wait for development on IE8 to start ;-)*

  2. I’m not sure that "strong improvement" is the right way to characterize the response to Draft 11, which was not approved as version 1.0 of the guidelines.

    There are several concerning aspects to Draft 11, especially around who is currently allowed to obtain EV certificates. Creating a new tier of "high assurance" certificates and then limiting the availability (see Section 5a and 5d) to incorporated associations and partnerships strikes me as extremely problematic.

    I believe that some form of identity assurance for websites is required, and am very interested in determining how to create that assurance in way that is open and accessible to all citizens of the web, and hope that Draft 12 addresses these concerns.

  3. kL says:

    To me it looks just like what Opera does for a year now. How’s that different than Opera’s implementation (using OCSP)?

  4. I would encourage readers (and commenters) like kL not to focus on the browser’s specific rendering of the presence/absence of EV certificates. That’s a question for the browser vendors to address, and I’d hope that (like we did with the lock) we come up with a consistent metaphor across browsers to ensure that users can build a mental model of security-on-the-web.

    Instead, please focus on what Kelvin is actually talking about here, which are the guidelines around how EV certs are awarded to entities and the processes and procedures used to provide "high assurance" that the cert-holder is who they claim to be, as well as the processes for repudiation and the repealing of these certificates if/when problems arise. That’s the meat of the proposal before our community, and it needs the wisdom of your eyes!

  5. EricLaw [MSFT] says:

    @KL: Opera9 displays information from the certificate, but it doesn’t have any awareness of what data in the certificate had been validated by the CA, or how that validation was done.  EV guidelines will help remove this ambiguity.

  6. AdrianS says:

    Not sure what you mean by "does not have awareness"? Surely the CA has validated the entity name and domain – otherwise they have no business being a CA!

    I would argue that we don’t need EV at all just better policies for CAs. If a CA is not up to its job, just revoke the CA’s licence.

    This is similar to the kernel signing for Vista – how is a CA "more trusted" than another? How is a certificate "more trusted" than another? Why not just trusted or not trusted?

    I do want to thank you for including more CAs than just MS’s buddy Verisign… Now if you could "fix" WinQual many developers would get their Christmas/New Year presents early ๐Ÿ˜‰

    Adrian

  7. Tester says:

    The idea that MS could simply kill off a CA at their own initiative  without getting sued is unforrtunately hopelessly naïve.  Without a defined criteria for what constitutes "acceptable" validation, there’s no grounds to revoke anyone.

  8. Tester says:

    The idea that MS could simply kill off a CA at their own initiative  without getting sued is unforrtunately hopelessly naïve.  Without a defined criteria for what constitutes "acceptable" validation, there’s no grounds to revoke anyone.

  9. Wolf says:

    Does that work with XP, too, or only with Vista? I had a problem testing it with XP although I had installed the testing root certificate of Microsoft.

  10. Petr says:

    No doubt that CAs do not validate the certificate requests properly. This wrong careless behavior should be correctd and not to add new, more expensive "EV" certificates.

    Were there any real cases with not properly validated certificates or the whole problem is just theoretical?

  11. goose says:

    I have always been confused and asking "who gave me this certificate!?!!" Now IE7 will save me and the web in general. I love EV SSL!!

    I think it’s good how you don’t mention your main competitor, Mozilla Foundation, and instead mention Opera and KDE.

    I look forward to getting a certificate from Woodcove Tank in IE and of course knowing it’s fake like millions of Average Joes out there surely will! I think IE7 is brilliant! I also like the green.

    It’s superb how we don’t have to upgrade to Vista for this. Microsoft are great to offer this for free next year! But of course it’s recommended to update because we will all be better off when we drop XP; years of updating behind the scenes must make me safer!

  12. Duane says:

    Of late Verisign has been heavily pushing a new initiative for extended verification certificates, going so far as being on record criticising Mozilla for not keeping up with security innovations that Microsoft has already implemented, to give this some context, EV certificates are similar to the Class 3 certificates CAcert issues, minus the huge price tag.

    While we applaud the effort to unify procedures and processes CAs employ we feel things have been heavily slanted towards commercial certificate authorities so much so that it seems to be more about keeping a strangle hold on the market and the price tag that comes with it then any actual improvements with security that end users might enjoy.

    As a result, there is a number of flawed assumptions being pushed that can only be seen as helping out Verisignโ€™s bottom line, not helping out end users, and while I can understand Microsoftโ€™s motivations for accepting Verisignโ€™s recommendations so openly, one must start to question Mozillaโ€™s motives for even contemplating doing the same.

    Now, if this was to truly help out users, surely we would hope for wide spread adoption, but this wonโ€™t be the case, even Verisign has expectations that 99% of sites will stick with the status quo. This becomes even more interesting when you take into account how this will be or is implemented in browsers.

    Currently Firefox turns the URL bar yellow when the site is secured with SSL, with EV certificates the URL bar will turn green, this is supposed to indicate that the site is great and super and should be implicitly trusted, but if most sites are yellow users will tend to associate yellow as being just as good as green. Weโ€™ve seen this behaviour in the past with people simply clicking through any popups, which occur far too regularly and people only end up clicking without even reading them.

    CAcert was aware at the time of discussions that occurred between most/all browser vendors and some certificate authorities, however when we asked to participate our requests largely fell on deaf ears.

    The bigger problem here is with the Mozilla Foundation itself, well over a year ago, there was university trained researchers falling over themselves to help out the mozilla foundation, they had conducted real studies into how to improve the browser experience and way to help users to detect fraudulent websites. The Mozilla Foundation basically snubbed the researchers and their efforts at creating proof of concepts in the hope of having their research utilised for the benefit of everyone.

    The research has since been incorporated in tool bars by HP and others for Internet Explorer.

    It makes you wonder how much research Verisign and others have completed to back up their claims that this will help users?

    This is yet another example of people being told what they need to be safe, when itโ€™s most likely not going to do anything except convince businesses to spend more money with Verisign, so again Iโ€™m left wondering why the Mozilla Foundation is entertaining this current push by Verisign to lock out competitors, and has little or no benefit for users and businesses in general, even though helping users is the excuse being used as why this is needed.

  13. Duane, you realize this is the IE7 blog, right? Mozilla actually abstained from the vote to accept Draft 11, although we continue to participate in the CA/Browser forum since we recognize the existing problems and limitations with certificates, and are interested in exploring sensible solutions.

    Not speaking for Mozilla, but speaking personally, I think that there’s promise in EV/HA Certificates, but I don’t think that Draft 11 is quite there yet, and am pretty concerned about a lot of the broader claims being made by its proponents. I also think we should be separating EV Certificates, The Technology and How Browsers Display EV Certificate Presence/Absence.

    (also, above, where I said "I’m not sure that "strong improvement" is the right way to characterize the response to Draft 11", I meant to write "I’m not sure that "strong SUPPORT" is the right way …"

  14. Max Battcher says:

    I have to agree with the sentiments that this seems like a huge bilk for anyone in the market for certificates by adding an additional tier to an already artificial tier system.  Let’s be honest that SSL Certificate costs are already inflated well beyond any actual expense costs, with the only excuse being validation requirements.  EV appears to give CAs the excuse to lower the bar for their standard practices for existing certificates without lowering cost.  I highly doubt that someone that makes so much money on their certificates, and already alleges to follow the practices asked by EV, like Verisign, would offer EV as standard practice with no additional cost, but I’d love to be proven wrong.

    In the end, I’m worried that should the "added assurance" of that green bar in IE catch on in public opinion small businesses will have even more costs to eat to maintain their own web presence.  The barrier to entry for that "green bar" becomes a further obstacle in a small business, in attempting to grow, gaining public trust.  SSL Certificates are the equivalent of a tax on internet business and I’m wondering if CA Forum is at all representing the small business needs rather than CA bottom lines and absurd profit margins.

    Sorry for turning this into a CA rant, but I’m just jealous that I don’t own a CA company.

  15. Duane says:

    Yes I realise this is an IE blog, however I had something pre-written that concerned both parties, however my sentiment is the same regardles, this isn’t going to help end users, this isn’t going to be widely accepted and Verisign and others have estimated the cost to be something like 150% more then current certificates cost (or about $2000-$2500 per year)… Now what small business can afford that?

  16. Thinker says:

    Duane– Either cite your sources, or expect that your "estimates" are ignored for the fiction that they are.

  17. Duane says:

    While some are in damage control trying to discredit the article, it was straight from the horses mouth http://www.theregister.co.uk/2006/10/25/verisign_extended_validation/

  18. Duane says:

    While some are in damage control trying to discredit the article, it was straight from the horses mouth http://www.theregister.co.uk/2006/10/25/verisign_extended_validation/

  19. Duane says:

    While some are in damage control trying to discredit the article, it was straight from the horses mouth http://www.theregister.co.uk/2006/10/25/verisign_extended_validation/

  20. Duane says:

    While some are in damage control trying to discredit the article, it was straight from the horses mouth http://www.theregister.co.uk/2006/10/25/verisign_extended_validation/

  21. Duane says:

    Hmmmm, I didn’t mean to post multiple times but I was getting there was a bug and admins have been notified and nothing was showing up…

  22. wng_z3r0 says:

    I think it’s a good idea ๐Ÿ™‚

    ~wng_z3r0

    Microsoft MVP security

  23. xfile says:

    Dear all,

    Enough is enough!!

    http://news.com.com/With+IE+7%2C+green+means+go+for+legit+sites/2100-1029-6134647.html?part=dht&tag=nl.e703

    In addition to the usability issues of the browser, IE 7 soon will provide

    misleading and false information about smaller sites that don’t have EV SSL

    certificate (which is expensive and currently available only for large

    corporations) installed as a possible "phishing" site.

    It has done it again – using a sound reason for stupid moves, and this time,

    it will put thousands and thousands of small businesses out of business.

    If your site does not have EV SSL certificate installed, IE could give false

    and misleading information to your visitors that you site is NOT a

    legitimate site.

    I will now remove IE 7 from all of my systems and officially boycott IE 7

    including the Vista which is using IE 7!!

  24. IEBlog says:

    As an engineer, Iโ€™m proud of the protections we delivered by finishing IE7 but I want to set your expectations

  25. IEBlog says:

    Iโ€™m Markellos Diorinos, and I am a product manager with the Internet Explorer team. Yesterday I read

  26. IEBlog says:

    Back in November, we announced our intention to bring Extended Validation SSL Certificates to IE7 . This

  27. Entrust announced that they upgrade Non-EV Verisign SSL Certificates to Entrust EV Certificates for the same price they are paying for Non-EV Certificates.According to the Website this would be only $399 USD per year instead of $1499 USD per year.I do

  28. Kurzbeschreibung: Optionales Update, das die Liste der Stammzertifikate auf dem Computer auf die neueste Liste aktualisiert, die von Microsoft im Rahmen des Microsoft-Programms fr Stammzertifikate akzeptiert wird. Durch Hinzufgen zustzlicher Stammzert

  29. Kurzbeschreibung: Optionales Update, das die Liste der Stammzertifikate auf dem Computer auf die neueste Liste aktualisiert, die von Microsoft im Rahmen des Microsoft-Programms für Stammzertifikate akzeptiert wird. Durch Hinzufügen zusätzlicher Stammzert

  30. Kurzbeschreibung: Optionales Update, das die Liste der Stammzertifikate auf dem Computer auf die neueste Liste aktualisiert, die von Microsoft im Rahmen des Microsoft-Programms für Stammzertifikate akzeptiert wird. Durch Hinzufügen zusätzlicher Stammzert

  31. If you suffer from Acid Reflux, then I would highly recommend visiting this excellent website, some of the tips helped me cure my Acid Reflux within a week.

  32. Kurzbeschreibung: Optionales Update, das die Liste der Stammzertifikate auf dem Computer auf die neueste Liste aktualisiert, die von Microsoft im Rahmen des Microsoft-Programms für Stammzertifikate akzeptiert wird. Durch Hinzufügen zusätzlicher Stammzert

  33. A friend just showed me this brilliant Heartburn and Acid reflux website that gives you great tips

  34. Kurzbeschreibung: Optionales Update, das die Liste der Stammzertifikate auf dem Computer auf die neueste Liste aktualisiert, die von Microsoft im Rahmen des Microsoft-Programms für Stammzertifikate akzeptiert wird. Durch Hinzufügen zusätzlicher Stammze

  35. IEBlog says:

    Hey everyone, Christopher here. Itโ€™s been a while since Iโ€™ve blogged anything here (over a year in fact).

  36. Hey everyone, Christopher here. Itโ€™s been a while since Iโ€™ve blogged anything here (over a year in fact

  37. Kurzbeschreibung: Optionales Update, das die Liste der Stammzertifikate auf dem Computer auf die neueste Liste aktualisiert, die von Microsoft im Rahmen des Microsoft-Programms für Stammzertifikate akzeptiert wird. Durch Hinzufügen zusätzlicher Stammze

  38. IEBlog says:

    This blog post frames our approach in IE8 for delivering trustworthy browsing. The topic is complicated

  39. IEBlog says:

    As someone whose email address is posted in thousands of forum posts, newsgroup discussions, and blogs,

  40. Kurzbeschreibung: Optionales Update, das die Liste der Stammzertifikate auf dem Computer auf die neueste Liste aktualisiert, die von Microsoft im Rahmen des Microsoft-Programms für Stammzertifikate akzeptiert wird. Durch Hinzufügen zusätzlicher Stammze

  41. Kurzbeschreibung: Optionales Update, das die Liste der Stammzertifikate auf dem Computer auf die neueste Liste aktualisiert, die von Microsoft im Rahmen des Microsoft-Programms für Stammzertifikate akzeptiert wird. Durch Hinzufügen zusätzlicher Stammze

  42. Kurzbeschreibung: Optionales Update, das die Liste der Stammzertifikate auf dem Computer auf die neueste Liste aktualisiert, die von Microsoft im Rahmen des Microsoft-Programms für Stammzertifikate akzeptiert wird. Durch Hinzufügen zusätzlicher Stammze

  43. &#160; &#160; ์•ˆ๋…•ํ•˜์„ธ์š”! ์ €๋Š” ์ธํ„ฐ๋„ท ์ต์Šคํ”Œ๋กœ๋Ÿฌ ๋ณด์•ˆ ํ”„๋กœ๊ทธ๋žจ์˜ ์ฑ…์ž„์ž์ธ ์—๋ฆญ ๋กœ๋ Œ์Šค๋ผ๊ณ  ํ•ฉ๋‹ˆ๋‹ค. ์ง€๋‚œ ํ™”์š”์ผ, ๋”˜(Dean)์ด ์‹ ๋ขฐ์„ฑ ๋†’์€ ๋ธŒ๋ผ์šฐ์ € ์— ๋Œ€ํ•œ ์ €ํฌ์˜ ์ƒ๊ฐ์„

  44. Kurzbeschreibung: Optionales Update, das die Liste der Stammzertifikate auf dem Computer auf die neueste Liste aktualisiert, die von Microsoft im Rahmen des Microsoft-Programms für Stammzertifikate akzeptiert wird. Durch Hinzufügen zusätzlicher Stammze