ABSTRACT
Various aspects of the application of SSL to the Web have been widely
criticized. Amongst these are: the absence of minimum standards for the
protection of private keys and issuance of certificates; the lack of uniformity
in trust indicators, patchy support for revocation, lax controls over the
browser root store, unwillingness on the part of the CAs to accept liability
and the placement of the onus on the consumer to review the issuer's practices.
The emergence of phishing and man-in-the-middle attacks using misleading Web
addresses had turned the spotlight on Web security and highlighted the fact
that SSL really only provides a confidential channel with weak authentication.
While confidentiality on its own mitigates certain threats, the most serious
threats have to be addressed by strong mutual authentication.
A number of mutual authentication solutions have been described. One of
these is called EV, or extended validation, SSL. It leverages the extensive
existing infrastructure for SSL, but it addresses many of its current
shortcomings.
In this talk we describe what EV SSL is, how it came about, what future
developments are planned and some of its limitations.
BIOGRAPHY
Tim Moses is the Senior Director of the Advanced Security Technology group at
Entrust Inc., where he is responsible for Entrust's research and standards
activities. He is currently the chair of the CA / Browser Forum, which body is
responsible for the definition of EV SSL.