On Sun, Sep 11, 2011 at 9:08 PM, Christopher Morrow <morrowc.lists@gmail.com> wrote:
what's the real benefit of an EV cert? (to the service owner, not the CA, the CA benefit is pretty clearly $$)
The benefit is to the end user. They see a green address bar with the company's name displayed.
Yeah, company's name displayed -- individuals cannot apply for EVSSL certs.
With normal certs, the end user doesn't see a green address bar, and instead of the company's name displayed "(unknown)" is displayed and "This web site does not supply ownership information." is displayed.
If you ask me, hiding the company's name even when present on a non-EVSSL cert is tantamount to saying "Only EV-SSL certs are really trusted anyways".
So maybe instead of these shenanigans browser makers should have just started displaying a "don't trust this site" warning for any non-EVSSL cert.
As an academic aside, exactly what would one set on his (internal) root CA so that internally-trusted certs signed by that CA would show up as EV certs?
On Monday, September 12, 2011 12:08:56 PM Coy Hile wrote:
On Sun, Sep 11, 2011 at 9:08 PM, Christopher Morrow
<morrowc.lists@gmail.com> wrote:
what's the real benefit of an EV cert? (to the service owner, not the CA, the CA benefit is pretty clearly $$)
The benefit is to the end user. They see a green address bar with the company's name displayed.
Yeah, company's name displayed -- individuals cannot apply for EVSSL certs.
With normal certs, the end user doesn't see a green address bar, and instead of the company's name displayed "(unknown)" is displayed and "This web site does not supply ownership information." is displayed.
If you ask me, hiding the company's name even when present on a non-EVSSL cert is tantamount to saying "Only EV-SSL certs are really trusted anyways".
So maybe instead of these shenanigans browser makers should have just started displaying a "don't trust this site" warning for any non-EVSSL cert. As an academic aside, exactly what would one set on his (internal) root CA so that internally-trusted certs signed by that CA would show up as EV certs?
The certificate would need a authority specific OID included in the extension field and you would have to modify the browser to acknowledge the OID as legitmate. Regards, Cody Rose NOC & Sys Admin
On Mon, Sep 12, 2011 at 7:08 AM, Coy Hile <coy.hile@coyhile.com> wrote:
As an academic aside, exactly what would one set on his (internal) root CA so that internally-trusted certs signed by that CA would show up as EV certs?
This is not possible without changing browser source code and recompiling (or debugging/editing the browser binary). The IDs of certificates that are allowed to sign EVSSL CAs are hard-wired in the browser. In some browsers, this also means it's impossible for an end user to "untrust" or remove an EVSSL CA. It also means you cannot as a site adminsitrator, make an administrative decision to internally add an internal EVSSL CA, without customizing every browser. If you ask me... it's shoddy software design. EVSSL CAs should be configurable, but none of the major browsers provide the knobs to manually add or remove EVSSL access to/from a trusted CA. -- -JH
On Mon, Sep 12, 2011 at 11:39 PM, Jimmy Hess <mysidia@gmail.com> wrote:
On Mon, Sep 12, 2011 at 7:08 AM, Coy Hile <coy.hile@coyhile.com> wrote:
As an academic aside, exactly what would one set on his (internal) root CA so that internally-trusted certs signed by that CA would show up as EV certs?
This is not possible without changing browser source code and recompiling (or debugging/editing the browser binary). The IDs of certificates that are allowed to sign EVSSL CAs are hard-wired in the browser. In some browsers, this also means it's impossible for an end user to "untrust" or remove an EVSSL CA.
It also means you cannot as a site adminsitrator, make an administrative decision to internally add an internal EVSSL CA, without customizing every browser.
If you ask me... it's shoddy software design. EVSSL CAs should be configurable, but none of the major browsers provide the knobs to manually add or remove EVSSL access to/from a trusted CA.
Thanks. I saw something about it on TechNet. (I'm using Windows for my internal CA). I'm guessing those instructions may work for IE only. If I find anything interesting, I'll let you know.
participants (3)
-
Cody Rose
-
Coy Hile
-
Jimmy Hess