EV SSL Certs

Cody Rose cody at killsudo.info
Mon Sep 12 08:37:19 CDT 2011


On Monday, September 12, 2011 12:08:56 PM Coy Hile wrote:
> > On Sun, Sep 11, 2011 at 9:08 PM, Christopher Morrow
> > 
> > <morrowc.lists at gmail.com> wrote:
> >> what's the real benefit of an EV cert? (to the service owner, not the
> >> CA, the CA benefit is pretty clearly $$)
> > 
> > The benefit is to the end user.
> > They see a green address bar  with the company's name displayed.
> > 
> > Yeah, company's name displayed -- individuals cannot apply for EVSSL
> > certs.
> > 
> > 
> > With normal certs, the end user doesn't see a green address bar, and
> > instead of the company's
> > name displayed "(unknown)" is displayed and
> > "This web site does not supply ownership information."  is displayed.
> > 
> > If you ask me, hiding the company's name even when present on a
> > non-EVSSL
> > cert is tantamount to saying  "Only EV-SSL certs are really trusted
> > anyways".
> > 
> > So maybe  instead of these shenanigans browser makers should have just
> > started displaying a "don't trust this site" warning for any non-EVSSL
> > cert.
> As an academic aside, exactly what would one set on his (internal)
> root CA so that internally-trusted certs signed by that CA would show
> up as EV certs?

The certificate would need a authority specific OID included in the extension 
field and you would have to modify the browser to acknowledge the OID as 
legitmate.

Regards,
 
Cody Rose
NOC & Sys Admin 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 230 bytes
Desc: This is a digitally signed message part.
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20110912/cfa992ea/attachment-0001.bin>


More information about the NANOG mailing list