My OperaExtended Validation v1.0 approved
Tuesday, June 12, 2007 3:31:06 PM
As I posted earlier on Opera Labs, work has been under way to create an improved process, Extended Validation (EV), for issuing web site certificates that can give a higher degree of assurance to the user that the SSL/TLS website in question really is who it claims it is, and how to tell the browsers that this process has been used.
Last week, after two years of work, the members of the CA/Browser Forum, a group consisting of many Certificate issuers (for example, Verisign, Comodo, and Entrust) and browser vendors (KDE, Microsoft, Mozilla, Opera), voted to approve Version 1.0 of the Extended Validation Guidelines.
These guidelines describe which steps a CA issuer must (at least) take in order to validate that the information given is correct, such as confirming the legal existence of a business or government agency, ownership of a domain, authorization to request a certificate, etc. Compliance with the guidelines is verified by regular independent audits.
This version of the guidelines also address certain concerns about what kind of businesses are eligible to get EV certificates.
When the certificate is issued, and installed on the server, a browser supporting EV will not just verify the signature on the certificate, it will also:
If all of this is OK, then the browser will display a visible indicator to the user that the certificate for the site has been issued in accordance with the guidelines. The indicator agreed upon by the browser vendors is a green security toolbar beside the address field, perhaps with a couple of other embellishments.
EV certificates have been issued for a few months based on a preliminary version of the guidelines, and have been recognized by IE7.
No public version of Opera currently supports EV, although we built a demo version with rudimentary EV support last year. Work is going on to produce a full version that supports EV, and we are planning to include support in "Kestrel".
Work in the CA/B Forum is by no means at an end, there are a number of other areas that need similar functionality as that provided by EV to SSL/TLS, as well as possible improvements of the current guidelines.
Stay tuned.
Last week, after two years of work, the members of the CA/Browser Forum, a group consisting of many Certificate issuers (for example, Verisign, Comodo, and Entrust) and browser vendors (KDE, Microsoft, Mozilla, Opera), voted to approve Version 1.0 of the Extended Validation Guidelines.
These guidelines describe which steps a CA issuer must (at least) take in order to validate that the information given is correct, such as confirming the legal existence of a business or government agency, ownership of a domain, authorization to request a certificate, etc. Compliance with the guidelines is verified by regular independent audits.
This version of the guidelines also address certain concerns about what kind of businesses are eligible to get EV certificates.
When the certificate is issued, and installed on the server, a browser supporting EV will not just verify the signature on the certificate, it will also:
- Verify that the certificate is still valid, and has not been revoked because of some problem [link to revocation article],
- Check for the presence of one of the CA's EV policy indicators (EV-OIDs) in the
certificate.
If all of this is OK, then the browser will display a visible indicator to the user that the certificate for the site has been issued in accordance with the guidelines. The indicator agreed upon by the browser vendors is a green security toolbar beside the address field, perhaps with a couple of other embellishments.
EV certificates have been issued for a few months based on a preliminary version of the guidelines, and have been recognized by IE7.
No public version of Opera currently supports EV, although we built a demo version with rudimentary EV support last year. Work is going on to produce a full version that supports EV, and we are planning to include support in "Kestrel".
Work in the CA/B Forum is by no means at an end, there are a number of other areas that need similar functionality as that provided by EV to SSL/TLS, as well as possible improvements of the current guidelines.
Stay tuned.
Josjosjoslyn # Thursday, August 2, 2007 10:43:36 AM
1. Banks(UK & US) - not sure with regard to other countries
2. On-Line Shopping - to my knowledge(experience) 100% - okay, 100% is limited to the sites I have visited, so no where near comprehensive, but still even if there are sites out there, Operas' acceptance as a secure browser is not global. Which really frustrates me, when "they" want you to use IE(security is a joke on that tool!!) ... So I use Firefox for all my "https" visits.
I love using Opera on my desktop, although some of the "button" placements on some sites are still "skewed" and overlap content. The security is great, and good to see Opera still attaching the highest value to this, the most important aspect of the "web browser". BUT, it still fails to be accepted as a viable option to secure web-site usage. Until that has been resolved, and Opera is regarded as "globally mainstream" by corporates, the Opera Browser will remain where it currently resides ...... which a crying shame
Jos Joslyn
deborahwebb # Tuesday, February 12, 2008 12:03:32 PM