| |
GeoTrust Products
SSL Certificates
Clients Certificates
True Credentials
True Credentials Express
Identity Verification
TrustWatch®
Verified Domain™
True Site® Seal
Signing Services
Adobe® Document Signing
Code Signing
Root Signing
|
|
|
|
|
High Assurance / Extended Validation SSL Certificate FAQs
References to “High Assurance”, “Extended Validation” and “Enhanced Validation” are all being used to describe the new certificates. Will there be a standard name for the new certificates?
At this time there is no standard, industry – wide name for the new certificates. The new certificates are currently referred to as High Assurance SSL, Extended Validation Certificates and Enhanced Validation Certificates – all of which are working names for the initiative. It is likely that the certificate name will be determined by each individual CA after the standards are finalized.
How is it possible that some CAs already offer High Assurance / Extended Validation certificates?
No CA today is offering what will be determined as a High Assurance/Extended Validation Certificate. Although some CAs describe their SSL products as “high assurance,” these SSL certificates are not the same as those being discussed by the CA Browser Forum. Only when the standards are finalized by CA Browser Forum and a CA has passed the certification requirements to issue High Assurance/Extended Validation certificates, will they will have the ability to sell them.
What are High Assurance / Extended Validation SSL certificates?
For over a year, GeoTrust and other companies have been leading the effort to find new ways to help reduce phishing incidents and other forms of online fraud, and improve consumer confidence in online transactions. The result is that there will be a single standard for the issuance of new High Assurance / Extended Validation SSL certificates.
High Assurance / Extended Validation certificates will entail a higher level of business verification than any other certificate on the market, using a thoroughly defined industry-standard vetting process. Additionally, the developers of major browsers intend to give High Assurance / Extended Validation certificates stronger visibility in the user interfaces of their next-generation browsers. Since High Assurance / Extended Validation certificate identity information will be clearly displayed in these new-generation browsers, consumers will easily be able to discern that they are indeed at the site they think they are, and not a fraudulent version of a popular website.
Are they Available?
High Assurance / Extended Validation certificates are not yet available through any Certificate Authority (CA), but are expected to be available mid-year.
Are existing SSL certificates still sufficient for securing online transactions?
Today, the lock icon in a user’s browser window fundamentally means that their traffic with the website is encrypted and that a CA has identified the website and issued an SSL certificate to the person who owns that domain. Many trusted CAs, including GeoTrust, offer certificates with different methods of background checking. In many instances, these types of certificates will be perfectly valid, for example to secure traffic between a company’s servers or to verify the identity of Jane’s flower shop (since she is an unlikely phishing target.)
Who should use High Assurance / Extended Validation certificates?
High Assurance / Extended Validation certificates are ideal for any organization that has a high-visibility, high-traffic web site that is likely to be phished, spoofed or the target of other forms of online fraud. Likely applicants will be online businesses such as financial services and banking sites, auction sites, large online retailers, and other sites that conduct high-stakes, high-value transactions over the Internet.
Why is a standard for High Assurance / Extended Validation SSL certificates being set?
Today, there is no industry standard method to tell what level of background checking was performed for a given site before being issued an SSL certificate. Web users have been expected to understand the intricate and highly technical specifications of individual CAs and their CPSs in order to comprehend what a given CA does to verify the organizational information contained with the certificate.
In contrast, with High Assurance / Extended Validation certificates, all participating CAs will follow standard vetting processes, so that consumers and other relying parties may rely on a High Assurance / Extended Validation certificate from any participating CA to the same degree, without having to read and analyze every CA’s policies and procedures for vetting.
Who is defining the new standards for High Assurance / Extended Validation SSL Certificates?
The new High Assurance / Extended Validation SSL certificates are being defined by leading browser companies including Microsoft, Mozilla, Opera and Konqeurer (KDE) in partnership with Certificate Authorities including GeoTrust and VeriSign, as well as other organizations such as the American Bar Association’s Information Security Committee.
What is the difference between High Assurance / Extended Validation SSL certificates and existing SSL certificates?
The vetting process will be much more comprehensive than any CA’s current vetting standards, which primarily rely on email and faxed information, database lookups and phone calls before issuing an SSL certificate. Key to the new High Assurance / Extended Validation certificates is a standardized process across CAs for verifying information that will include: verifying the organization’s identity; verifying that the would-be purchaser has the legal authority to make the SSL certificate request for that organizational entity; and confirming that the entity is a legitimate business, not a shell or false front entity.
The standards will establish new requirements for an organization that cannot be controlled or faked by a High Assurance / Extended Validation certificate applicant. These requirements will be vital in preventing imposters from obtaining false certificates. And more likely, imposters will simply not try to obtain a High Assurance / Extended Validation certificate.
What information will be contained in High Assurance / Extended Validation Certificate fields?
The certificate will likely include strongly confirmed data about the organization, including:
- Company name
- Building number and street
- City or town
- State or province (if any)
- Country
- Postal code (zip code)
- Telephone number
- Domain name
- E-mail address
When will High Assurance / Extended Validation SSL certificates be available?
The new standard for verifying identities for High Assurance / Extended Validation SSL certificates is expected to be finalized in the coming months. It is expected that the certificates will be available mid-year, to correspond with the first launches of the new web browser releases.
Since the new standard is not yet completed, no CA can sell issue High Assurance / Extended Validation certificates yet. Upon completion of the standards, the certificates will be available from GeoTrust’s enterprise sales organization, retail site and its worldwide reseller network. Other CAs that meet the standards will also be able to offer High Assurance / Extended Validation certificates.
How much will High Assurance / Extended Validation certificates cost?
The cost of High Assurance / Extended Validation certificates will be determined by individual CAs. GeoTrust has not yet determined the cost of their High Assurance / Extended Validation certificates.
How will I be able to upgrade my existing GeoTrust SSL certificates to the new High Assurance / Extended Validation certificates?
Since they will be an entirely new type of certificate, any upgrades will require an organisation to complete the new vetting process. GeoTrust will offer existing customers special promotional pricing.
How can I find out more about High Assurance / Extended Validation SSL Certificates?
Visit the GeoTrust web site: www.geotrusteurope.com
Download the GeoTrust Press Release: http://www.geotrusteurope.com/about/news_
events/press/high_assurance_ss_certificates.pdf
Visit the weblog:http://blogs.msdn.com/ie/archive/2005/11/21/495507.aspx
A Microsoft Internet Explorer developer’s weblog has published extensively on the new security features in IE 7, the work of the browser and Certificate Authority initiatives, and includes examples of how the new High Assurance / Extended Validation SSL certificate information would display within the new Internet Explorer browser.
What do the next- generation toolbars look like?
Below are examples of next-generation browsers that incorporate information about SSL certificates:
Microsoft IE7
Fig 3.1, IE7 address bar for a site with a high-assurance SSL certificate (showing the identity of the site from the SSL certificate)
Fig 3.2, IE7 address bar for a site with a high-assurance SSL certificate (alternating in the name of the Certification Authority who identified the site)
Opera 8
Opera's yellow security bar appears on secure sites and displays the name of the organization that owns the certificate. By clicking on the bar you have access to more information about the validity of the certificate.
|
|
|
|
| |
|
If you purchase a multi-year Enterprise SSL, QuickSSL Premium, True BusinessID or Power ServerID certificate today, GeoTrust will offer an upgrade promotion to the new High Assurance / Extended Validation SSL certificates (when they are available) that preserves your current investment.
There’s no obligation, and no risk. We just want to assure you that you’ll be able to upgrade, if and when you want, to the new certificates. And, we’ll credit you with the unused portion of this certificate towards the new High Assurance / Extended Validation Certificate’s price.
Register Your Interest
Be one of the first to know how to upgrade to a High Assurance / Extended Validation Certificate |
|
|
|
 Read Microsoft Weblog
Press Release
Contact Sales Request Form
|
|
