Extended Validation v1.0 approved
Tuesday, June 12, 2007 3:31:06 PM
Last week, after two years of work, the members of the CA/Browser Forum, a group consisting of many Certificate issuers (for example, Verisign, Comodo, and Entrust) and browser vendors (KDE, Microsoft, Mozilla, Opera), voted to approve Version 1.0 of the Extended Validation Guidelines.
These guidelines describe which steps a CA issuer must (at least) take in order to validate that the information given is correct, such as confirming the legal existence of a business or government agency, ownership of a domain, authorization to request a certificate, etc. Compliance with the guidelines is verified by regular independent audits.
This version of the guidelines also address certain concerns about what kind of businesses are eligible to get EV certificates.
When the certificate is issued, and installed on the server, a browser supporting EV will not just verify the signature on the certificate, it will also:
- Verify that the certificate is still valid, and has not been revoked because of some problem [link to revocation article],
- Check for the presence of one of the CA's EV policy indicators (EV-OIDs) in the
If all of this is OK, then the browser will display a visible indicator to the user that the certificate for the site has been issued in accordance with the guidelines. The indicator agreed upon by the browser vendors is a green security toolbar beside the address field, perhaps with a couple of other embellishments.
EV certificates have been issued for a few months based on a preliminary version of the guidelines, and have been recognized by IE7.
No public version of Opera currently supports EV, although we built a demo version with rudimentary EV support last year. Work is going on to produce a full version that supports EV, and we are planning to include support in "Kestrel".
Work in the CA/B Forum is by no means at an end, there are a number of other areas that need similar functionality as that provided by EV to SSL/TLS, as well as possible improvements of the current guidelines.