Secure sockets layer (SSL) certificates allow web users to verify the identity of the organisation running a website and indicate that the site's traffic is encrypted. The certificates are commonly used by banks and e-commerce websites.
Users can identify a website using certificates through a small padlock that shows up in the browser window. Older versions of Internet Explorer place the icon in the bottom of the window while Internet Explorer 7 puts it in the address bar. Firefox colours the address bar yellow in addition to displaying a padlock.
Online scammers however have eroded the trust in SSL certificates as they started to use them for phishing websites and other online frauds. Currently browsers will still recognise certificates that weren't issued by official certificate authorities (CAs). Critics also charge that some CAs fail to check the identity of applicants beacuse the prefer their revenues over rigid security.
The Extended Validation SSL certificates therefore will introduce more stringent vetting process, including a verification of the applicant's physical existence, identity and place of business, as well as its right to use the domain name for which the documents is requested.
The standard is defined by the CA/Browser Forum that is made up of both CAs and browser developers. The organisation last month published a Draft 11 version (PDF download) of its guidelines. Microsoft earlier this week on its IE Blog called upon its fellow members to support the current guidelines in their certificates and browsers.
Following January's Internet Explorer 7 update, the address bar in the browser will turn green when the user visits a website that uses an EV SLL certificate, as well as display the name of the CA that issued the document.
In addition to Microsoft, the Opera and KDE browsers too plan to add support for the technology.
Mozilla is part of the CA/Browser Forum, but hasn't yet publicly discussed how it will support the standard. A spokesperson for the company declined to comment.
In anticipation of the support by browsers, several CAs are starting to advertise the new certificates.
Hosting provider GoDaddy said that it expects to start selling the certificates early next year. Xramp meanwhile is planning to start selling certificates based on the current draft specifications later this month. Verisign too will sell EV SSL certificates, but was unable to say when it will start issuing the documents.
Industry lines up behind enhanced SSL standard
By Tom Sanders on Nov 10, 2006 4:55PM