• Home
• CA/Browser Forum
• EV SSL Certificates
• Objectives
• Vetting Process
• Certificate Contents
• FAQ

Frequently Asked Questions - Extended Validation SSL

What is SSL?
SSL stands for Secure Socket Layer. Like TLS (which stands for Transport Layer Security), SSL is a security protocol that operates between a browser and a Web site. It provides confidentiality and data integrity by means of cryptographic techniques and, when used with a third party-issued certificate, it can report trustworthy information to one party about the other party. Typically, SSL is used to provide the browser and its user with trustworthy information about the Web site.

Cryptographic techniques provide confidentiality and data integrity protection for messages passing in either direction between the browser and the Web site. This prevents Internet Service Providers that handle the messages in transit from viewing or modifying the contents of the messages. It also mitigates attacks on the DNS, such as DNS cache poisoning and on the HTTP caching system, such as HTTP response splitting.

What is a certificate?
A certificate (more properly called a public-key certificate in this context) is an electronic document that is signed by a certification authority (CA) asserting the binding between identifying information and a public key that can be used to authenticate the entity to which the identifying information applies. As a minimum, the identifying information includes a domain name, and the browser verifies that the URL displayed in its address bar is in the domain identified by the certificate.

The CA's public key can be used to verify its signature on a certificate. If the certificate is valid and the domain it contains includes the URL displayed in the browser's address bar, then the browser will display a padlock icon, indicating that a secure connection has been established between browser and Web site.

What is a certification authority?
A certification authority (sometimes referred to as a certificate authority) is a trusted third party that issues digital certificates. On the Web, certification authorities (CAs) are typically separate business entities whose public keys are provisioned to the browser by the browser supplier. The CA accepts requests for certificates from Web site operators who provide the identifying information that they wish to have included in the certificate. The CA verifies the accuracy and applicability of the identifying information before including it in the certificate and returning it to the Web site operator.

The Web site provisions the certificate to the browser within the SSL protocol.

What is the DNS?
DNS stands for Domain Name System. It is the part of the Internet that translates a familiar domain name, such as "example.com" to an IP address. The Internet routes messages to their destinations on the basis of the destination IP address. However, because users are more familiar with domain names to identify locations on the Internet, a system is needed to translate between these two forms of addresses. That translation system is the DNS.

What standards do certification authorities have to comply with?
Generally, in order to be accepted by a browser supplier, a certification authority (CA) must meet standards set by either the American Institute of Certified Public Accountants/Canadian Institute of Chartered Accountants (AICPA/CICA) or the (European Telecommunications Standards Institute) ETSI. The AICPA/CICA standard is called "WebTrust for CAs" and the ETSI standard is called "ETSI TS 101456 Policy requirements for certification authorities issuing qualified certificates."

These audit schemes impose requirements on the CA's systems, personnel and procedures. But, they do not currently prescribe the specific methods used by the CA to validate the identifying information that is to be included in the certificate.

With the introduction of extended validation certificates (EV SSL Certificates), WebTrust will be augmented to audit the CA's conformance with the extended validation guidelines.

What is a domain-validated certificate?
A domain-validated certificate is an SSL certificate in which the validated identifying information contained in the certificate is limited to the domain on which the Web site is located. If a secure connection is established between browser and a Web site secured with a domain-validated certificate Web site, the browser displays the padlock icon.

What is an organizationally validated certificate?
An organizationally validated certificate is one in which the validated identifying information includes the domain and information about he business entity that operates the Web site, such as its registered business name. Organizationally validated certificates differ from extended validation certificates (EV SSL Certificates) in that they are not necessarily issued in compliance with the extended validation guidelines. Furthermore, the organizational identifying information they contain does not receive prominent display in the most popular browsers. If a secure connection is established between browser and a Web site secured with an organizationally validated certificate, the browser displays the padlock icon.

What is an extended validation certificate?
An extended validation certificate (EV SSL Certificate) is a certificate issued in conformance with the extended validation guidelines defined by the CA/Browser Forum. The organizational identifying information and the name of the issuing CA receive prominent display in some browsers.

What are the extended validation guidelines?
The extended validation guidelines contain a set of requirements for the operations of certification authorities (CAs) that issue extended validation certificates (EV SSL Certificates). These requirements mostly govern the process of validating the identifying information that is to appear in an EV SSL Certificate. However, the guidelines also establish requirements for several other aspects of a CA's operations, including: insurance coverage, revocation services, cryptographic key parameters, personnel qualification, etc.

Why is there a need for extended validation certificates?
Because there are no generally-accepted standards for verifying the organizational information that is contained in some certificates, uncertainty has arisen in users' minds over the significance of the padlock icon. This confusion has been compounded by the growing practice of Web site operators to display padlock icons within the site contents. Furthermore, the URLs that commonly appear in browser address bars have become obscure and users can no longer use these to assure themselves that they are transacting with the Web site operator that they expect. Therefore, there arose a need to display trusted identifying information about the operator of the Web site, and to do it in a way that clearly indicated to users the identity of the business entity with whom they were doing business. This had to be done in a way that established minimum standards for the trustworthiness of that identifying information. Hence, the major browser suppliers and a group of certification authorities (CAs) came together to develop these minimum standards. At the same time, some browser suppliers developed user interface standards for displaying that information to emphasize its trustworthiness.

With these combined developments, it is expected that the Web users who engage in sensitive transactions with their governments, financial service providers, health care providers, etc. will look for these new cues as part of their personal Web use routine.

When will we see Web sites protected by extended validation certificates?
Many browser suppliers plan to provide support for extended validation certificates (EV SSL Certificates) some time during 2007.

Microsoft's IE7 and Vista currently provide full support for EV SSL Certificates.

Home ¦ CA/Browser Forum ¦ EV SSL Certificates ¦ Objectives ¦ Vetting Process ¦ Certificate Contents¦ Documents
Contact CA/B Forum
Copyright © 2006-2008 All rights reserved.