The Shortcut Guide to Extended Validation SSL Certificates

by Dan Sullivan


The Shortcut Guide to Extended Validation (EV) SSL Certificates examines security challenges to online business operations as well as responses to those concerns. This guide describes how technologies such as SSL have been used in the past to prevent fraud and ensure confidentiality and how new threats, such as phishing scams, are driving the need for the improved authentication and verification provided by extended validation SSL certificates. The Shortcut Guide to Extended Validation (EV) SSL Certificates also includes detailed descriptions of the EV SSL certification process as well as the user experience. The work concludes with a look at the future of extended validation technologies and services.


Chapter 1: Security Challenges and the Business Case for EV SSL Certificates

The Internet has rapidly become an integral part of day-to-day business and is now, along with shipping, manufacturing, and financial accounting, a critical component to business operations. The Internet, however, poses unique security challenges that threaten to undermine its ability to support business-grade services. The risks of unchecked security weaknesses can range from fraud and identity theft which may ultimately damage a company’s brand and reputation. Mitigating these risks requires a wide array of measures.

Broadly speaking, security measures are designed to protect three fundamental aspects of information:

  • Confidentiality of information
  • Integrity of information
  • Availability of information resource

Confidentiality and integrity are especially important to establishing and maintaining trust among businesses and customers. Customers must be comfortable sharing information with businesses and be confident that it will not fall into the hands of hackers and thieves. When a customer makes a purchase in a store, the customer can see exactly what he is buying, he hands his credit card to a human who hands it right back, and the customer knows that if there is a problem a manager is probably nearby. Aspects of in-person commerce such as this help establish trust between customers and businesses.

Chapter 2: Overview of SSL and EV SSL Certificates

SSL certificates are widely used in secure Web communications but because they function “behind the scenes,” most users give little attention to how they work. This chapter will take a closer look at SSL certificates to answer several key questions:

How are SSL certificates used?
How are they implemented?
What are their limitations?
How are Extended Validation (EV) SSL certificates different?

In answering these questions, we will delve into both the technical and organizational issues that are involved with the use of SSL certificates.

Chapter 3: Authentication and Verification

In the first two chapters, we have seen a wide range of threats to Web security, including phishing, loss of privacy and confidentiality. The implications for businesses include fraud, identity theft, damage to brand reputation, and ultimately the reduced potential for online business due to a lack of trust. Clearly, business transactions are dependent on establishing authenticated identities and maintaining the confidentiality and integrity of transactions. SSL has met many of these needs, but changes in phishing and other attacks are pushing the limits of SSL-based protections. Certification Authorities (CAs) and browser vendors have responded with the Extended Validation (EV) SSL certificate.

The EV SSL authentication and verification standard is more demanding on the part of CAs, parties seeking certificates, and has also required feature and functionality updates to web browsers in order to display the unique interface conventions associated with these certificates. This chapter will focus on the CAs and the parties seeking certificates. The use of EV SSL within browsers is the subject of Chapter 4.

Chapter 4: User Experience

A key feature of Extended Validation SSL certificates is that they provide users with identify verification of the companies, government agencies, and organizations with which they do business. Previous chapters explained the standards EV SSL certificate holders must meet as well as the regulations governing CAs that issue EV SSL certificates. In this chapter, we turn our attention to the benefits of EV SSL certificates to users.

A key factor in ensuring the effectiveness of the Extended Validation SSL standard is that it was defined through contributions from a consortium of Certification Authorities and browser manufactures. In turn, the browser manufacturers have released or plan on releasing enhanced versions of their browsers that illustrate the unique interface conventions associated with EV SSL.

Chapter Five Preview: Future of EV SSL Certificate

Extended Validation (EV) SSL certificates are the first significant advance in digital certification since the adoption of the X.509 standard certificates for SSL. The creation of EV SSL certificates came about in response to a pressing business need. It is likely that additional needs will emerge and the EV SSL standard will evolve in response. Of course, we cannot predict the future, but we can use our understanding of past experiences and current challenges in business to venture possible paths of EV SSL certificate evolution.

This chapter frames the discussion of the future of EV SSL certificates around:

  • Historical patterns and the development of information security
  • Near-term emerging requirements
  • Improvements in browser interfaces and usability
  • Extended applications of EV SSLs

It is often best to start with a look to the past to understand what might lie ahead.