Extended Validation - What it really means


I’m going to give you a better understanding about what extended validation (EV) means and what it really gives to you. Throughout many discussion at Mozilla and elsewhere - and specially since my last article about spoofing the secure state of the upcoming Firefox browser, EV certificates are touted by many as the solution to the problem. The wonder balsam which will heal the Internet from inadequate authenticity, lack of identification and trust. The only means browser vendors have to positively identify secured web sites…and so the arguments go on…

The new Firefox browser features a new user interface which quite openly promotes certificates issued according to the EV guidelines. Microsoft’s Internet Explorer has also some special treatment for this type of certificates for quite some time, but Safari and Opera don’t distinguish between SSL certificates. About Opera I’ll write soon some more, since I believe that they are doing many things quite right!

The address bar in Firefox 3 treats EV certificates differently as illustrated in the image below. For the record, the StartCom CA doesn’t issue such certificates yet and I’ll cover that more extensively in a future post.

Firefox 3 EV Mode

Now, what exactly is EV? Extended validation are certificates issued according to guidelines defined by an interest group of commercial certification authorities(*) and browser vendors. The guidelines are available from their web site from here. Also available are the audit guidelines, a document which explains how certification authorities have to be audited in order to comply to them. I’ll save you the pain to read this documents, but I want to set the record strait about some aspects.

EV certificates are issued only to companies and organizations. Only companies and organizations! That means entities like

  • Inc. (Incorporated)
  • Ltd. (Limited Company)
  • Gmbh (Gesellschaft mit Beschränkter Haftung)
  • AG (Aktiengesellschaft)

Usually all these types of registered organizations have limited liabilities, there is no personal liability. Yes, this includes also StartCom which means our company is an organization with limited liability too(**). More correctly StartCom is a private limited company and this is the common form of business entities here. What EV does, is confirming the existence of the company, its name, that the requester of the certificate is authorized by the company to make the request and its ownership over the respective domain name. That’s it!

How does this compare to what the StartCom CA is doing so far? StartCom requires first of all, the registration by the subscriber as an individual natural person. For higher validations (Class 2) a subscriber must validate his identity first. This of course according to the policies and procedures of StartCom. Only after successful personal validation a subscriber may opt for organization validation. During this process various attributes about the company are verified, including ownership of the company and authorization of the subscriber for requesting certificates on behalf of the company. At last, a domain name may be validated and certificates issued.

This gives us a better foundation of trust because we deal with people first and foremost, not entities! The subscriber is personally responsible for the correct handling of the certificates. We know him. Specially with smaller companies, many times one of the owners is also the subscriber, with bigger organizations it’s usually the IT manager or system administrator. This principal is our basic understanding for building a trust relationship and the basis for any higher validation at StartCom, be it Class 2|3 or EV. This is what we own to the relying parties which rely on a certificate issued by us.

Without taking away the value EV certificates offer, I believe they have a drawback. A company may exist today, be gone tomorrow. Nobody will be liable for any damage and there is nobody to sue after robbing their customers of their money and closing down. Not one individual is verified and validated for an EV certificate. Therefor next time you’ll see the green indicator in Firefox when visiting a web site, ask yourself how green it really is!

* I claim that the founding of the CA/Browser Forum and definition of the EV guidelines was a direct result of StartCom’s entering this industry three and something years ago. EV is certainly a way to protect their business interests by setting the barrier of entry higher for some providers.

** StartCom has an insurance policy for possible claims in case anything should go wrong. Also the EV guidelines require providers to be insured accordingly. There is however no such requirement for holders of EV certificates of course.

Information and Links

Join the fray by commenting, tracking what others have to say, or linking to it from your blog.


Other Posts
My Own Street
Spoofing SSL in Firefox 3

Write a Comment

Take a moment to comment and tell us what you think. Some basic HTML is allowed for formatting.

You must be logged in to post a comment. Click here to login.

Reader Comments

A correction: You say that Opera makes no distinction between types of SSL certificates. While this is true of the current stable release, the upcoming Opera 9.50 will support EV certificates with a similar green highlight. This can be seen in Opera 9.50 beta 2, released in April.

Yngve’s blog covers the history of support for EV certs in Opera.

The problem isn’t a distinction, but about the value EV provides. Even that isn’t a problem per se, if one knows what it means. Judging about the various marketing efforts, CAs are telling you obviously otherwise (things about trust etc).

I updated to the current beta of Opera now and haven’t seen any distinction yet. Yngve’s blog apparently shows a screen shot about how it should look like (as expected I’d say). Thanks for updating me on this.

fornarina scarpe…

Have you ever thought about publishing an ebook or guest authoring on other blogs? I have a blog based on the same ideas you discuss and would love to have you share some stories/information. I know my viewers would appreciate your work. If you’re eve…