Extended validation SSL Certificates

Dr. Tim Moses (Entrust)


ABSTRACT

Various aspects of the application of SSL to the Web have been widely criticized. Amongst these are: the absence of minimum standards for the protection of private keys and issuance of certificates; the lack of uniformity in trust indicators, patchy support for revocation, lax controls over the browser root store, unwillingness on the part of the CAs to accept liability and the placement of the onus on the consumer to review the issuer's practices.

The emergence of phishing and man-in-the-middle attacks using misleading Web addresses had turned the spotlight on Web security and highlighted the fact that SSL really only provides a confidential channel with weak authentication. While confidentiality on its own mitigates certain threats, the most serious threats have to be addressed by strong mutual authentication.

A number of mutual authentication solutions have been described. One of these is called EV, or extended validation, SSL. It leverages the extensive existing infrastructure for SSL, but it addresses many of its current shortcomings.

In this talk we describe what EV SSL is, how it came about, what future developments are planned and some of its limitations.

BIOGRAPHY

Tim Moses is the Senior Director of the Advanced Security Technology group at Entrust Inc., where he is responsible for Entrust's research and standards activities. He is currently the chair of the CA / Browser Forum, which body is responsible for the definition of EV SSL.