What is ‘Extended Validation’?‘
Extended Validation’ refers to rigorous, industry standard validation methods to be used by a CA before issuing an SSL/TLS certificates. The guidelines for Extended Validation are published by the CA/Browser Forum here.
What is an EV (Extended Validation) Multi-Domain SSL/TLS Certificate?
An Extended Validation (EV) SSL/TLS certificate created by an industry consortium called the CA/Browser forum. This new category of certificate was conceived in response to the growing threat of phishing attacks with a goal of increasing consumer confidence in online transactions. EV certificates will be issued to websites only after rigorous validation of their identity. Web browsers will reflect this higher level of identity assurance with prominent and distinct trust indicators, such as the green address bar in Internet Explorer and Mozilla Firefox, and advanced green indicators in the latest versions of Opera and Google Chrome.
What is the CA/Browser Forum?
The CA/Browser Forum is a group of Certification Authority service providers, web browser manufacturers, and other industry participants that came together to look at ways to reduce the threat of phishing. Entrust formerly chaired this group and strongly supports its work. More information can be found at the CA/Browser Forum website.
Which browsers support Entrust EV Multi-Domain SSL/TLS Certificates?
The majority of browsers in use today display green trust indicators for EV. Some of the major browsers supporting EV are Internet Explorer (version 7 and above), Mozilla Firefox version 3, Opera version 8, Safari version 3.2, Google Chrome and Flock version 2.
How will Entrust EV Multi-Domain SSL/TLS Certificates increase consumer confidence?
With numerous malicious phishing incidents and online fraud, consumers are concerned with identity theft and would like reassurance that the site they are entering their personal data into can be trusted. If consumers feel the site is not trusted and their personal information is unencrypted, they will leave the site and take their transactions to another vendor. Entrust EV Multi-Domain SSL/TLS Certificates will help increase consumer confidence by displaying prominent and consistent trust indicators while consumers are conducting online transactions. Now the lock is now at the top of the browser window instead of the bottom, and if a website has an Entrust EV Multi-Domain SSL/TLS Certificate installed, the address bar color will display green and will display the identity of the site and the name of the certificate authority to let the consumer know they can shop with confidence.
Who can purchase an Entrust EV SSL/TLS Certificate?
A broad range of business entities are now eligible for EV certificates:
Private Organization: A non-governmental legal entity (whether ownership interests are privately held or publicly traded) whose existence was created by a filing with (or an act of) the Incorporating Agency in its Jurisdiction of Incorporation.
Government Entity: A government-operated legal entity, agency, department, ministry, or similar element of the government of a country, or political subdivision within such country (such as a state, province, city, county, etc).
Business Entity: Any entity that is neither a Private Organization nor a Government Entity. Examples include general partnerships, unincorporated associations and sole proprietorships.
How can I buy an Entrust EV Multi-Domain SSL/TLS Certificate?
Entrust EV Multi-Domain SSL/TLS Certificates will be available first for purchase through Entrust Certificate Services website at https://www.entrustdatacard.com/products/categories/SSL/TLS-certificates/
, and at a later date through our Enhanced interface for customers managing larger pools of certificates.
Can I upgrade my existing Entrust SSL/TLS Certificates to the new Entrust EV Multi-Domain SSL/TLS Certificates?
Yes. Please note that customers taking advantage of these promotions will need to be validated under the new EV guidelines before certs can be issued.
What is the maximum lifetime for an Entrust EV Multi-Domain SSL/TLS Certificate?
Entrust EV Multi-Domain SSL/TLS Certificates have a maximum of lifetime of 2 years (24 months).
How will Entrust EV Multi-Domain SSL/TLS Certificates be different from the current Entrust SSL/TLS Certificates?
The primary difference will be in what happens before the Entrust EV SSL/TLS Certificates are even issued. Before issuing any Entrust SSL/TLS Certificate, Entrust performs checks to "vet", or validate, the identity of the requestor.
Under the new EV model, validation of an entity (e.g. a company or web site operator) requesting an Entrust EV Multi-Domain SSL/TLS Certificate will be performed using industry standard guidelines, as defined by the CA/Browser Forum. This is different from current practices in that different Certification Authorities have very different validation standards. Although the majority of Certification Authorities have rigorous validation practices, not all do, and this undermines the overall security of SSL/TLS for consumer transactions.
Certificates issued using "Extended Validation" will include a reference to an EV-specific certificate policy. Each Certification Authority will have a unique policy and Policy Object Identifier (OID). Browsers supporting EV will behave differently when they encounter a certificate issued under an EV policy OID that they recognize.
Note that at a technical level, Entrust EV Multi-Domain SSL/TLS Certificates will not be different from standard X.509 certificates, and will be backwards compatible with older browsers. Entrust EV Multi-Domain SSL/TLS Certificates will include more information on the subject (the entity the certificate was issued to) – including jurisdiction of incorporation.
Are my existing Entrust SSL/TLS Certificates still sufficient for securing online transactions?
From a cryptographic perspective, yes your current Entrust SSL/TLS Certificates are still going to result in encrypted SSL/TLS sessions.
However, the greatest threat to online transactions is not cryptographic in nature – it is phishing. Phishing preys on consumer's inability to discern between trustworthy sites and imposter sites.
The EV initiative is targeted at making it easier for consumers to make that distinction. From a usability perspective, non-EV certificates will have decreasing effectiveness as consumers adopt the new browsers and come to expect the strong trust indicators provided by Entrust EV Multi-Domain SSL/TLS Certificates while conducting transactions.
Should I switch to Entrust EV Multi-Domain SSL/TLS Certificates?
If you are operating a website that conducts ecommerce transactions, or if you collect sensitive or private information, you should be considering switching to Entrust EV Multi-Domain SSL/TLS Certificates.
Phishing attacks are a real threat to the trust consumers have placed on the internet, and Entrust EV Multi-Domain SSL/TLS Certificates can only be part of the solution if they are deployed and used widely.
How will older browsers without EV support behave on sites with Entrust EV Multi-Domain SSL/TLS Certificates?
Browsers without EV support will continue to behave as they do today. As long as the certificate was issued by a CA trusted by the browser, the lock will close as expected.
In most cases, website support for both older browsers and newer EV browsers will require the installation of a cross-certificate on the web server which was issued by a root CA already embedded in older browsers. The cross-certificate will certify a newer EV specific issuing CA as trusted, and the actual web server site certificate will be issued from that issuing CA.
How will browsers respond when they visit a website with an invalid certificate or phishing site?
The response may vary depending on the type of browser but, in general, a red address bar could indicate that you that you have accessed a known phishing site.
Red alert blocks immediate access to reported phishing sites, although users can proceed to the site if they wish.
A red address bar could also indicate that there may be a problem with the certificate or that it may not be issued from a trusted Certificate Authority.
Internet Explorer includes prominent warnings to users and will recommend users not visit the page.
If the user ignores the warnings and continues, the address bar goes red, and red warning ‘security badges’ appear.
I operate my own CA based on Entrust software, can I issue EV certificates myself?
Yes, if you own an Entrust-rooted CA, you will be able to issue Entrust EV Multi-Domain SSL/TLS Certificates once your CA is recognized by the EV-ready browsers. This will either entail cross-certification with a CA already in the EV root embedding programs of the major browsers, or that you submit your own root into those programs.
In both cases, you will need to undergo an audit under the CA/Browser Forum guidelines.
I'm a website operator. How will Entrust EV Multi-Domain SSL/TLS Certificates affect me?
For website operators, some changes to consider include that more details about the subscriber will be placed into the certificate including:
- Domain name
- Organization name
- Jurisdiction of Incorporation
- City or town
- State or province (if any)
- Country – mandatory
Some CSR generating tools may not allow you to add this information to your certificates. However, Entrust will be able to add this information to your Entrust EV Multi-Domain SSL/TLS Certificates once your certificate order has been placed.
Please note that EV standards do not permit the use of wildcard certificates which can impact the number of certificates you may be required to purchase.
"Couldn't browsers just turn the address bar green with the current Entrust SSL/TLS certificates?"
While it would be possible to enable more prominent security features in browsers based on current SSL/TLS certificates, the problem is with the inconsistent level of validation behind current certificates.
Some CA's today perform much less rigorous validation checks on companies requesting SSL/TLS certificates, which introduce the risk that a phishing site could acquire a valid SSL/TLS certificate.
With that risk in mind, the CA/Browser Forum set out to establish a consistent, common set of validation guidelines which participating CA's could follow, and which browser manufacturers could rely on before turning on more prominent security features such as the green address bar.
Can I get an Entrust EV Multi-Domain SSL/TLS wildcard certificate?
No, the EV SSL/TLS guidelines do not permit wildcard certificates. In some cases the use of subjectAltName extensions can provide the same benefits as a wildcard certificate, and this is permitted within the EV guidelines.
Under what conditions will my Entrust EV Multi-Domain SSL/TLS Certificate be revoked?
Entrust MUST revoke an Entrust EV Multi-Domain SSL/TLS Certificate it has issued upon the occurrence of any of the following events:
What is Entrust's EV Certificate Problem Reporting and Response Capability?
- The Subscriber requests revocation of its Entrust EV Multi-Domain SSL/TLS Certificate.
- The Subscriber indicates that the original Entrust EV Multi-Domain SSL/TLS Certificate Request was not authorized and does not retroactively grant authorization.
- Entrust obtains reasonable evidence that the Subscriber's Private Key (corresponding to the Public Key in the Entrust EV Multi-Domain SSL/TLS Certificate) has been compromised, or that the Entrust EV Multi-Domain SSL/TLS Certificate has otherwise been misused.
- Entrust receives notice or otherwise become aware that a Subscriber violates any of its material obligations under the Subscriber Agreement.
- Entrust receives notice or otherwise become aware that a court or arbitrator has revoked a Subscriber's right to use the domain name listed in the Entrust EV Multi-Domain SSL/TLS Certificate, or that the Subscriber has failed to renew it domain name.
- Entrust receives notice or otherwise become aware of a material change in the information contained in the Entrust EV Multi-Domain SSL/TLS Certificate.
- A determination, in the CA's sole discretion, that the Entrust EV Multi-Domain SSL/TLS Certificate was not issued in accordance with the terms and conditions of these Guidelines or the CA's EV Policies.
- If Entrust determines that any of the information appearing in the Entrust EV Multi-Domain SSL/TLS Certificate is not accurate.
- Entrust ceases operations for any reason and has not arranged for another EV CA to provide revocation support for the EV Certificate.
- Entrust's right to issue Entrust EV Multi-Domain SSL/TLS Certificate under these Guidelines expires or is revoked or terminated [unless the CA makes arrangements to continue maintaining the CRL/OCSP Repository].
- Entrust's Private Key for that Entrust EV Multi-Domain SSL/TLS Certificate has been compromised.
- Entrust receives notice or otherwise become aware that a Subscriber has been added as a denied party or prohibited person to a blacklist, or is operating from a prohibited destination under the laws of the CA's jurisdiction of operation.
If you wish to revoke your Entrust EV Multi-Domain SSL/TLS Certificate for any of the above reasons, you may contact Entrust by filling in our online complaint form.
In addition to Entrust EV Multi-Domain SSL/TLS Certificate revocation, Subscribers, Relying Parties, Application Software Vendors, and other third parties can contact Entrust by filling in our online complaint form for reporting complaints or suspected Private Key compromise, EV Certificate misuse, or other types of fraud, compromise, misuse, or inappropriate conduct related to EV Certificates.
Entrust will begin investigation of all Certificate Problem Reports within twenty-four (24) hours and decide whether revocation or other appropriate action is warranted based on at least the following criteria:
- The nature of the alleged problem;
- Number of Certificate Problem Reports received about a particular EV Certificate or website;
- The identity of the complainants (for example, complaints from a law enforcement official that a web site is engaged in illegal activities have more weight than a complaint from a consumer alleging they never received the goods they ordered); and
- Relevant legislation in force.
Entrust will maintain a continuous 24/7 ability to internally respond to any high priority Certificate Problem Report, and where appropriate, forward such complaints to law enforcement and/or revoke an Entrust EV Multi-Domain SSL/TLS Certificate that is the subject of such a complaint.