Extended Validation Certificates

For some time, the Mozilla Foundation has been taking part in a group called the CA/Browser Forum (CABF), an association of the major public-facing CAs and all the major browser-makers except Apple.

Currently, there is no minimum level of validation which is done before a certificate is issued, leading to the existence of “domain control only” certificates, which have no information in them about the party to whom they are issued. Such certificates have some uses, but are not recommended for e-commerce. Other CAs claim to do more vetting – however, their methods are trade secrets and there is no standardisation. However, the current browser presentation of all certificates is the same padlock icon.

The aim of the group is to develop a new, higher standard for the validation which is done before certificate issuance, called Extended Validation. The idea was that such certs would be presented differently in the UI, to give the CAs a reason to go to the extra effort, and to give customers a reason to buy them. In IE 7 at least, the use of an EV certificate is tied to the green background in the URL bar.

The Foundation representatives have so far not made a commitment to the CABF on the exact timing or nature of our support for EV. This includes the UI.

The guidelines have been developed via a very long and drawn-out process, including several face-to-face meetings with competing specifications from different groups of CAs over the past two years. Eventually and quite recently, a Microsoft employee synthesised a unified specification, which has now been made available for public comment.

While the CABF website has a public comment procedure, I suggest it would be best for the Foundation to try and come to a consensus within the project first. We need to decide whether EV will make a material difference to the reliability of information in certificates and, if so, whether that warrants a different UI presentation for EV certificates. It would also be good to have a more general discussion about how we present security information to users. Ideally, I would be able to give any feedback to the editor before November 19th, after which there may be another vote on adopting the updated specification. Please join the discussion in the mozilla.dev.security newsgroup.

3 thoughts on “Extended Validation Certificates