Improving SSL: Extended Validation (EV) SSL Certificates Coming in January

Hi, I’m Kelvin Yiu, a program manager with the Windows Crypto team, and I’m very excited to be posting today on the IE blog, announcing plans to make Extended Validation (EV) SSL Certificates available in January 2007.

For over a year, we’ve been working on shaping the form of the next generation SSL (Secure Socket Layer) Certificates, so that they not only provide encryption but also a standard for identity on the Internet. For that purpose we teamed up with many Certification Authorities (CAs) and Internet Browsers to create the CA/Browser forum, tasked with the creation of these next-generation Certificates, called EV SSL Certificates.

The CA/Browser forum has provided a great service, and has helped evolve the EV SSL guidelines to their current Draft 11. We feel very strongly that the current version of the EV SSL guidelines provides tremendous value to help protect consumers from phishing, while maintaining compatibility with existing browsers.

Recently, we invited all the members of the CA/Browser forum to join us in supporting EV SSL Certificates based on the current guidelines, and at this time I wish to extend the invitation to all CAs interested in participating. The industry response has been very strong, and many CAs such as Verisign (including Thawte and GeoTrust), CyberTrust, Entrust, GoDaddy, QuoVadis, XRamp, SecureTrust and DigiCert have already expressed their intention to support EV Certificates now, while other CAs such as Wells Fargo have expressed strong support for our efforts to drive EV Draft 11 forward. Browsers, such as KDE and Opera, are also planning to add support for EV Draft 11 in future versions of their software.

Starting at the end of January 2007, we will make the necessary updates to Windows, so that IE7 will recognize EV Certificates and modify the display accordingly (with a green background for the address bar, as well as embedded identify info, as shown in Figures 1 and 2, from Rob’s earlier post). This will mean that businesses can now assertively establish their online identity and make it visible to consumers who transact with them. Additionally, consumers will now have a new level of trust in their online transactions, because visible feedback on the identity of the business they are transacting with is readily available.

Fig 1: IE7 address bar for a site with a Extended Validation SSL certificate
(showing the identity of the site from the SSL certificate)

IE7 address bar for a site with a Extended Validation SSL certificate (showing the identity of the site from the SSL certificate)

Fig 2: IE7 address bar for a site with a Extended Validation SSL certificate
(alternating in the name of the Certification Authority who identified the site)

IE7 address bar for a site with a Extended Validation SSL certificate(alternating in the name of the Certification Authority who identified the site)

We do not expect EV SSL Certificates to eradicate the phishing problem, but we are convinced that it is a significant step forward in protecting consumers. EV SSL Certificates provide tremendous value to Internet users today, and the industry will keep evolving the guidelines to keep pace with the changing Internet landscape.

Kelvin Yiu (with help from Rob Franco and Tom Albertson)
Program Manager
Microsoft representative to CA/Browser Forum

Comments

  • Anonymous
    November 07, 2006
    The comment has been removed

  • Anonymous
    November 07, 2006
    The comment has been removed

  • Anonymous
    November 07, 2006
    To me it looks just like what Opera does for a year now. How's that different than Opera's implementation (using OCSP)?

  • Anonymous
    November 07, 2006
    The comment has been removed

  • Anonymous
    November 07, 2006
    @KL: Opera9 displays information from the certificate, but it doesn't have any awareness of what data in the certificate had been validated by the CA, or how that validation was done.  EV guidelines will help remove this ambiguity.

  • Anonymous
    November 07, 2006
    Not sure what you mean by "does not have awareness"? Surely the CA has validated the entity name and domain - otherwise they have no business being a CA! I would argue that we don't need EV at all just better policies for CAs. If a CA is not up to its job, just revoke the CA's licence. This is similar to the kernel signing for Vista - how is a CA "more trusted" than another? How is a certificate "more trusted" than another? Why not just trusted or not trusted? I do want to thank you for including more CAs than just MS's buddy Verisign... Now if you could "fix" WinQual many developers would get their Christmas/New Year presents early ;) Adrian

  • Anonymous
    November 07, 2006
    The comment has been removed

  • Anonymous
    November 07, 2006
    The comment has been removed

  • Anonymous
    November 07, 2006
    Does that work with XP, too, or only with Vista? I had a problem testing it with XP although I had installed the testing root certificate of Microsoft.

  • Anonymous
    November 07, 2006
    No doubt that CAs do not validate the certificate requests properly. This wrong careless behavior should be correctd and not to add new, more expensive "EV" certificates. Were there any real cases with not properly validated certificates or the whole problem is just theoretical?

  • Anonymous
    November 07, 2006
    I have always been confused and asking "who gave me this certificate!?!!" Now IE7 will save me and the web in general. I love EV SSL!! I think it's good how you don't mention your main competitor, Mozilla Foundation, and instead mention Opera and KDE. I look forward to getting a certificate from Woodcove Tank in IE and of course knowing it's fake like millions of Average Joes out there surely will! I think IE7 is brilliant! I also like the green. It's superb how we don't have to upgrade to Vista for this. Microsoft are great to offer this for free next year! But of course it's recommended to update because we will all be better off when we drop XP; years of updating behind the scenes must make me safer!

  • Anonymous
    November 07, 2006
    The comment has been removed

  • Anonymous
    November 08, 2006
    Duane, you realize this is the IE7 blog, right? Mozilla actually abstained from the vote to accept Draft 11, although we continue to participate in the CA/Browser forum since we recognize the existing problems and limitations with certificates, and are interested in exploring sensible solutions. Not speaking for Mozilla, but speaking personally, I think that there's promise in EV/HA Certificates, but I don't think that Draft 11 is quite there yet, and am pretty concerned about a lot of the broader claims being made by its proponents. I also think we should be separating EV Certificates, The Technology and How Browsers Display EV Certificate Presence/Absence. (also, above, where I said "I'm not sure that "strong improvement" is the right way to characterize the response to Draft 11", I meant to write "I'm not sure that "strong SUPPORT" is the right way ..."

  • Anonymous
    November 08, 2006
    I have to agree with the sentiments that this seems like a huge bilk for anyone in the market for certificates by adding an additional tier to an already artificial tier system.  Let's be honest that SSL Certificate costs are already inflated well beyond any actual expense costs, with the only excuse being validation requirements.  EV appears to give CAs the excuse to lower the bar for their standard practices for existing certificates without lowering cost.  I highly doubt that someone that makes so much money on their certificates, and already alleges to follow the practices asked by EV, like Verisign, would offer EV as standard practice with no additional cost, but I'd love to be proven wrong. In the end, I'm worried that should the "added assurance" of that green bar in IE catch on in public opinion small businesses will have even more costs to eat to maintain their own web presence.  The barrier to entry for that "green bar" becomes a further obstacle in a small business, in attempting to grow, gaining public trust.  SSL Certificates are the equivalent of a tax on internet business and I'm wondering if CA Forum is at all representing the small business needs rather than CA bottom lines and absurd profit margins. Sorry for turning this into a CA rant, but I'm just jealous that I don't own a CA company.

  • Anonymous
    November 08, 2006
    Yes I realise this is an IE blog, however I had something pre-written that concerned both parties, however my sentiment is the same regardles, this isn't going to help end users, this isn't going to be widely accepted and Verisign and others have estimated the cost to be something like 150% more then current certificates cost (or about $2000-$2500 per year)... Now what small business can afford that?

  • Anonymous
    November 08, 2006
    Duane-- Either cite your sources, or expect that your "estimates" are ignored for the fiction that they are.

  • Anonymous
    November 08, 2006
    The comment has been removed

  • Anonymous
    November 08, 2006
    The comment has been removed

  • Anonymous
    November 08, 2006
    The comment has been removed

  • Anonymous
    November 08, 2006
    The comment has been removed

  • Anonymous
    November 08, 2006
    Hmmmm, I didn't mean to post multiple times but I was getting there was a bug and admins have been notified and nothing was showing up...

  • Anonymous
    November 09, 2006
    I think it's a good idea :) ~wng_z3r0 Microsoft MVP security

  • Anonymous
    November 13, 2006
    Dear all, Enough is enough!! http://news.com.com/With+IE+7%2C+green+means+go+for+legit+sites/2100-1029-6134647.html?part=dht&tag=nl.e703 In addition to the usability issues of the browser, IE 7 soon will provide misleading and false information about smaller sites that don't have EV SSL certificate (which is expensive and currently available only for large corporations) installed as a possible "phishing" site. It has done it again - using a sound reason for stupid moves, and this time, it will put thousands and thousands of small businesses out of business. If your site does not have EV SSL certificate installed, IE could give false and misleading information to your visitors that you site is NOT a legitimate site. I will now remove IE 7 from all of my systems and officially boycott IE 7 including the Vista which is using IE 7!!

  • Anonymous
    November 14, 2006
    As an engineer, I’m proud of the protections we delivered by finishing IE7 but I want to set your expectations

  • Anonymous
    December 21, 2006
    I’m Markellos Diorinos, and I am a product manager with the Internet Explorer team. Yesterday I read

  • Anonymous
    February 06, 2007
    Back in November, we announced our intention to bring Extended Validation SSL Certificates to IE7 . This

  • Anonymous
    February 07, 2007
    Entrust announced that they upgrade Non-EV Verisign SSL Certificates to Entrust EV Certificates for the same price they are paying for Non-EV Certificates.According to the Website this would be only $399 USD per year instead of $1499 USD per year.I do

  • Anonymous
    February 27, 2007
    The comment has been removed

  • Anonymous
    June 30, 2007
    The comment has been removed

  • Anonymous
    July 24, 2007
    The comment has been removed

  • Anonymous
    September 18, 2007
    The comment has been removed

  • Anonymous
    September 28, 2007
    The comment has been removed

  • Anonymous
    October 04, 2007
    The comment has been removed

  • Anonymous
    January 22, 2008
    The comment has been removed

  • Anonymous
    March 11, 2008
    Hey everyone, Christopher here. It’s been a while since I’ve blogged anything here (over a year in fact).

  • Anonymous
    March 11, 2008
    Hey everyone, Christopher here. It’s been a while since I’ve blogged anything here (over a year in fact

  • Anonymous
    May 27, 2008
    The comment has been removed

  • Anonymous
    June 24, 2008
    This blog post frames our approach in IE8 for delivering trustworthy browsing. The topic is complicated

  • Anonymous
    July 02, 2008
    As someone whose email address is posted in thousands of forum posts, newsgroup discussions, and blogs,

  • Anonymous
    September 22, 2008
    The comment has been removed

  • Anonymous
    November 24, 2008
    The comment has been removed

  • Anonymous
    February 23, 2009
    The comment has been removed

  • Anonymous
    March 16, 2009
        안녕하세요! 저는 인터넷 익스플로러 보안 프로그램의 책임자인 에릭 로렌스라고 합니다. 지난 화요일, 딘(Dean)이 신뢰성 높은 브라우저 에 대한 저희의 생각을

  • Anonymous
    May 25, 2009
    The comment has been removed