Frequently Asked Questions - Extended Validation SSL

What is SSL?
SSL stands for Secure Socket Layer. Like TLS (which stands for Transport Layer Security), SSL is a security protocol that operates between a browser and a Web site. It provides confidentiality and data integrity by means of cryptographic techniques and, when used with a third party-issued certificate, it can report trustworthy information to one party about the other party. Typically, SSL is used to provide the browser and its user with trustworthy information about the Web site.

Cryptographic techniques provide confidentiality and data integrity protection for messages passing in either direction between the browser and the Web site. This prevents Internet Service Providers that handle the messages in transit from viewing or modifying the contents of the messages. It also mitigates attacks on the DNS, such as DNS cache poisoning and on the HTTP caching system, such as HTTP response splitting.

What is a certificate?
A certificate (more properly called a public-key certificate in this context) is an electronic document that is signed by a certification authority (CA) asserting the binding between identifying information and a public key that can be used to authenticate the entity to which the identifying information applies. As a minimum, the identifying information includes a domain name, and the browser verifies that the URL displayed in its address bar is in the domain identified by the certificate.

The CA's public key can be used to verify its signature on a certificate. If the certificate is valid and the domain it contains includes the URL displayed in the browser's address bar, then the browser will display a padlock icon, indicating that a secure connection has been established between browser and Web site.

What is a certification authority?
A certification authority (sometimes referred to as a certificate authority) is a trusted third party that issues digital certificates. On the Web, certification authorities (CAs) are typically separate business entities whose public keys are provisioned to the browser by the browser supplier. The CA accepts requests for certificates from Web site operators who provide the identifying information that they wish to have included in the certificate. The CA verifies the accuracy and applicability of the identifying information before including it in the certificate and returning it to the Web site operator.

The Web site provisions the certificate to the browser within the SSL protocol.

What is the DNS?
DNS stands for Domain Name System. It is the part of the Internet that translates a familiar domain name, such as "adgrafics.com" to an IP address. The Internet routes messages to their destinations on the basis of the destination IP address. However, because users are more familiar with domain names to identify locations on the Internet, a system is needed to translate between these two forms of addresses. That translation system is the DNS.\

What standards do certification authorities have to comply with?
Generally, in order to be accepted by a browser supplier, a certification authority (CA) must meet standards set by either the American Institute of Certified Public Accountants/Canadian Institute of Chartered Accountants (AICPA/CICA) or the (European Telecommunications Standards Institute) ETSI. The AICPA/CICA standard is called "WebTrust for CAs" and the ETSI standard is called "ETSI TS 101456 Policy requirements for certification authorities issuing qualified certificates."

These audit schemes impose requirements on the CA's systems, personnel and procedures. But, they do not currently prescribe the specific methods used by the CA to validate the identifying information that is to be included in the certificate.

With the introduction of extended validation certificates (EV SSL Certificates), WebTrust will be augmented to audit the CA's conformance with the extended validation guidelines.

What is a domain-validated certificate?
A domain-validated certificate is an SSL certificate in which the validated identifying information contained in the certificate is limited to the domain on which the Web site is located. If a secure connection is established between browser and a Web site secured with a domain-validated certificate Web site, the browser displays the padlock icon.

What is an organizationally validated certificate?
An organizationally validated certificate is one in which the validated identifying information includes the domain and information about he business entity that operates the Web site, such as its registered business name. Organizationally validated certificates differ from extended validation certificates (EV SSL Certificates) in that they are not necessarily issued in compliance with the extended validation guidelines. Furthermore, the organizational identifying information they contain does not receive prominent display in the most popular browsers. If a secure connection is established between browser and a Web site secured with an organizationally validated certificate, the browser displays the padlock icon.

What is an extended validation certificate?
An extended validation certificate (EV SSL Certificate) is a certificate issued in conformance with the extended validation guidelines defined by the CA/Browser Forum . The organizational identifying information and the name of the issuing CA receive prominent display in some browsers.

What are the extended validation guidelines?
The extended validation guidelines contain a set of requirements for the operations of certification authorities (CAs) that issue extended validation certificates (EV SSL Certificates). These requirements mostly govern the process of validating the identifying information that is to appear in an EV SSL Certificate. However, the guidelines also establish requirements for several other aspects of a CA's operations, including: insurance coverage, revocation services, cryptographic key parameters, personnel qualification, etc.

Why is there a need for extended validation certificates?
Because there are no generally-accepted standards for verifying the organizational information that is contained in some certificates, uncertainty has arisen in users' minds over the significance of the padlock icon. This confusion has been compounded by the growing practice of Web site operators to display padlock icons within the site contents. Furthermore, the URLs that commonly appear in browser address bars have become obscure and users can no longer use these to assure themselves that they are transacting with the Web site operator that they expect. Therefore, there arose a need to display trusted identifying information about the operator of the Web site, and to do it in a way that clearly indicated to users the identity of the business entity with whom they were doing business. This had to be done in a way that established minimum standards for the trustworthiness of that identifying information. Hence, the major browser suppliers and a group of certification authorities (CAs) came together to develop these minimum standards. At the same time, some browser suppliers developed user interface standards for displaying that information to emphasize its trustworthiness.

With these combined developments, it is expected that the Web users who engage in sensitive transactions with their governments, financial service providers, health care providers, etc. will look for these new cues as part of their personal Web use routine.

When will we see Web sites protected by extended validation certificates?
Many browser suppliers plan to provide support for extended validation certificates (EV SSL Certificates) some time during 2007. Microsoft's IE7 and Vista currently provide full support for EV SSL Certificates.

Extended Validation (EV) SSL Certificates will contain the following required fields:

Organization name
- This field must contain the Subject's (i.e., certificate holding entity's) full legal organization name as listed in the official records of the Incorporating Agency in the Subject's Jurisdiction of Incorporation. In addition, an assumed name or d/b/a (doing business as) name used by the Subject may be included at the beginning of this field, provided that it is followed by the full legal organization name in parenthesis. If the combination of the full legal organization name and the assumed or d/b/a name exceeds 64 bytes as defined by RFC 3280, the CA should use only the full legal organization name in the certificate.

Domain name
- This field must contain one or more host domain name(s) owned or controlled by the Subject and to be associated with Subject's publicly accessible server. Such server may be owned and operated by the Subject or another entity (e.g., a hosting service). Wildcard certificates are not allowed for EV SSL Certificates.

Jurisdiction of Incorporation
- These fields must contain information only to the level of the Incorporating Agency - e.g., the Jurisdiction of Incorporation for an Incorporating Agency at the country level would include country information but would not include state or province or city or town information; the Jurisdiction of Incorporation for an Incorporating Agency at the state or province level would include both country and state or province information, but would not include city or town information; and so forth. Country information must be specified using the applicable ISO country code. State or province information, and city or town information (where applicable) for the Subject's Jurisdiction of Incorporation must be specified using the full name of the applicable jurisdiction.

Registration Number
- This field must contain the unique Registration Number assigned to the Subject by the Incorporating Agency in its Jurisdiction of Incorporation (for Private Organization Subjects only).

Address of Place of Business
- This field must contain the address of the physical location of the Subject's Place of Business. City, state and country information is required. Street number and ZIP/postal are optional.

Extended Validation (EV) SSL Certificates will serve the following purposes:

Enable Secure Connections. Like "standard" SSL certificates, which rely on authentication of requesting organization's identity and/or domain control, EV SSL certificates enable secure encrypted communication between a Web site and a site visitor's browser by facilitating the exchange of encryption keys

Establish Online Businesses Identity. EV SSL Certificates establish online businesses identity by confirming the certificate holder's legal and physical existence.

Help Prevent Fraud. By providing reliable third-party verified identity and address information regarding the owner of a Web site, EV Certificates may help to:

• Make it more difficult to mount phishing schemes and other online identity fraud attacks using SSL certificates;
• Assist companies that may be the target of phishing attacks or online identity fraud by providing them with a tool to better identify themselves and their legitimate Web sites to users;
• Assist law enforcement in investigations of phishing and other online identity fraud, including where appropriate, contacting, investigating, or taking legal action against the perpetrator.

Per the guidelines defined by the CA/Browser Forum, Certification Authorities (CAs) may issue Extended Validation (EV) SSL Certificates to Private Organizations, Government Entities, and Business Entities that satisfy the requirements specified below:

Private Organizations
The CA may issue EV Certificates to Private Organizations that meet the following requirements:

1. The Private Organization must be a legally recognized entity whose existence was created by a filing with (or an act of) the Incorporating or Registration Agency in its Jurisdiction of Incorporation or Registration (e.g., by issuance of a certificate of incorporation) or is an entity that is chartered by a state or federal regulatory agency;
2. The Private Organization must have designated with the Incorporating or Registration Agency either a Registered Agent, or a Registered Office (as required under the laws of the Jurisdiction of Incorporation or Registration) or an equivalent facility;
3. The Private Organization must not be designated on the records of the Incorporating or Registration Agency by labels such as "inactive," "invalid," "not current," or the equivalent;
4. The Private organization must have a verifiable physical existence and business presence;
5. The Private Organization's Jurisdiction of Incorporation, Registration, Charter, or License, and/or its Place of Business must not be in any country where the CA is prohibited from doing business or issuing a certificate by the laws of the CA's jurisdiction; and
6. The Private Organization must not be listed on any government denial list or prohibited list (e.g., trade embargo) under the laws of the CA's jurisdiction.

Government Entities
The CA may issue EV Certificates to Government Entities that satisfy the following requirements:

1. The legal existence of the Government Entity must be established by the political subdivision in which such Government Entity operates;
2. (The Government Entity must not be in any country where the CA is prohibited from doing business or issuing a certificate by the laws of the CA's jurisdiction;
3. The Government Entity must not be listed on any government denial list or prohibited list (e.g., trade embargo) under the laws of the CA's jurisdiction.

Business Entities
The CA may issue EV Certificates to Business Entities that do not qualify under the criteria listed for Private Organizations above but that do satisfy the following requirements:

1. The Business Entity must be a legally recognized entity whose formation included the filing of certain forms with the Registration Agency in its Jurisdiction, the issuance or approval by such Registration Agency of a charter, certificate, or license, and whose existence can be verified with that Registration Agency;
2. The Business Entity must have a verifiable physical existence and business presence;
3. At least one Principal Individual associated with the Business Entity must be identified and validated;
4. The identified Principal Individual must attest to the representations made in the Subscriber Agreement;
5. Where the Business Entity represents itself under an assumed name, the CA must verify the Business Entity's use of the assumed name pursuant to the requirements of Section 15 herein;
6. The Business Entity and the identified Principal Individual associated with the Business Entity must not be located or residing in any country where the CA is prohibited from doing business or issuing a certificate by the laws of the CA's jurisdiction;
7. The Business Entity and the identified Principal Individual associated with the Business Entity must not be listed on any government denial list or prohibited list (e.g., trade embargo) under the laws of the CA's jurisdiction.