Skip navigation.

Implementer's notes

What might get caught in the gears under the hood?

More testing: Updated EV information and new Roots

, , , , , , , , , , ,

A few hours ago the new online certificate repository that the most recent weeklies are using was updated with several new roots, and an additional CA, Comodo, was also provisionally EV-enabled

The new and the updated CAs are

  • America OnLine
  • Cisco
  • Comodo
  • Digicert


There is no need to download an updated Weekly (if you have one of the two recent ones). When you next restart one of the Opera 9.50 Weeklies with support for online certificate updates, it will immediately download the indexes, and download the new certificates when necessary. Please give it a minute to finish the update.

Here are a couple of testsites:


Known Issues: The complex certificate chain system used by Comodo encounters some, mostly hidden, problems with our OpenSSL certificate verification support, and that will cause some EV sites to not be recognized. We will try to fix it, but it may not be advisable to include a fix in 9.50.
[*] DigiCert:


I do not currently have testcases for Cisco, as they have not yet started issuing certificates from the new root.

More about known issues:

  • We know there are some problems with OCSP and CRL responses (the two kinds of revocation information) from some Certificate Authorities. These problem may lead to the website getting a lower security level. We are looking into these problems together with the CAs. In last week's build some of the CRL problems will cause a "Fatal Error 50", in the most recent build that has been fixed. We may decide to work around some of these, but they should preferably be fixed by the CA.
  • At least one CA (who is not in our repository) is using CRLs with a critical extension, which will cause the secure connection to fail with error code 554. In this case we are following the standard, although one might wonder why the specification says "Although the extension is critical, conforming implementations are not required to support this extension". The problem have been "fixed" internally by recognzing the extension, then ignore it, as we do not need it.
.

New in Kestrel: Faster Root Certificate updatesLowering the EV bar

Comments

hartley231 19. April 2008, 00:49

Sorry if I've missed this in the release notes, however I can't get EV working on my Intel Macbook Pro using the latest weekly build 4784. Working fine on my work Windows XP machine.

hartley231

Update: scratch that! Just tried https://brokerage.comdirect.de/ and I have a green EV background. Maybe something to do with the specific site?

yngve 19. April 2008, 11:54

Hartley: Please see my articles on EV in Opera (there are some extra requirements), and also note that we have only EV enabled some CAs.

kloining 20. April 2008, 20:57

When is Thawte Extended Validation CA getting uploaded?

yngve 20. April 2008, 22:14

After testing, and when we are ready with the legal framework.

The currently EV-enabled CAs are only enabled provisonally.

oscardt 21. April 2008, 21:24

How come https://www.paypal.com/ still shows yellow in the adressbar?
In the security tab It says: "the connection to this server is secure"
and paypal uses EV

https://www.sslcertificaten.nl/ however does show green.

yngve 21. April 2008, 22:56

Regarding Paypal: "It ain't EV 'til it's EV, all EV".

Paypal is using content from sites that are not EV certificate, and as such the identity of all who created the content is not sufficiently proven.

See my articles for more information:

http://my.opera.com/yngve/blog/2008/04/08/new-in-kestrel-end-of-the-extended-validation-wait
http://my.opera.com/yngve/blog/2007/06/19/it-aint-ev-til-its-ev-all-ev

blinkybill 22. April 2008, 13:39

Hi yngve,

When opening https://www.paypal.com/ here I get the grey ?
in the address bar. But if I then mask as Internet Explorer
then I get the lock with the yellow background.
Is this how it should be?.


cheer
blinkybill

yngve 22. April 2008, 21:11

blinkybill: I have no problem with Paypal by going direct to the URL, even going indirectly via the unsecure accesspoints with redirects.

blinkybill 24. April 2008, 13:25

Hi yngve,

Just updated to the new Opera 9.5 beta2 and still
www.paypal.com shows a grey ?.
I am using Windows XP SP2 and I installed Opera
using the Classic Installer.
I tried it at work with Opera and it shows the
Lock with the Yellow Background so I got no
clues as to why mine doesn't. Could this be
a bug somewhere?.

cheers
blinky

yngve 24. April 2008, 15:11

What does the information in the security panel of the dialog displayed when you click on the "?" say?

This new feature performs a lot of extra data verification, and if one of them cannot be completed then the site won't get a secure indication.

blinkybill 25. April 2008, 05:36

Hi Yngve,

Here is a screenshot mate of the Grey ?.

http://img155.imageshack.us/my.php?image=paypalrv2.jpg

cheers
blinky

t1gershark 26. April 2008, 11:51

I've a problem on this site

https://banking.bw-bank.de/

security panel says, that there's no
secure connection available.
What's wrong ?

yngve 26. April 2008, 15:37

t1gershark: I am not sure what is causing it, but there seems to be a problem with the CRLs (the revocation check). Such problems means that we have no reliable information about whether or not the certificate is relly valid, thus a reduced security level.

t1gershark 27. April 2008, 09:46

Thanks for your response yngve.
Reduced security level is good, but the panel says that
there's no security at all :smile:

blinkybill 7. May 2008, 05:54

Hi yngve,

Just installed the latest 9.5 beta and now
www.paypal.com shows the yellow background
with the lock.


cheers
blinky

YinYanger 2. June 2008, 11:42

Hi yngve,

Are you heard about PetName systems? Interesting reading!

http://www.skyhunter.com/marcs/petnames/IntroPetNames.html

Bye!

Write a comment

You must be logged in to write a comment. If you're not a registered member, please sign up.

July 2009
S M T W T F S
June 2009August 2009
1 2 3 4
5 6 7 8 9 10 11
12 13 14 15 16 17 18
19 20 21 22 23 24 25
26 27 28 29 30 31