EV SSL Certificates!

Well, now that we have a website www.cabforum.org, everyone knows the new standard we have been working on to improve SSL.

I thought I should write a note or two to clarify few issues and make few statements

1)Where the hell this CAB forum came from?
well, in April 05, I thought the time had come to bring together the people in the industry and own up to problems existed so that they could be resolved. One morning , I rang our Competitor Verisign folks and asked them if they would be in. They said np. Then we held the first meeting of this forum in a hotel near wall street in NY, hosted by Comodo.
What do you mean why did I do that? The same reason why I choose to give free firewall, free AV. I believe by bringing the industry together we could create a vehicle to help resolve “trust threats”.

2)What had to be done: The problem was, people who had root keys could issue certs willy nilly. There were no standards to follow or rules to abide with. That’s why some CAs were issuing unvetted certs. So stage one was to set a standard and get everyone to agree that unless they complied with this, their root would be kicked out of the root programme.

of course, then the question was: where do you draw the line for this standard. It was, still is, difficult to figure out. It was important to have a really good validation but still inclusive. Stage one is a good starting point, however we need to continue in making progress and make EV accessible to every legitimate entity who needs it. Identity Assurance is a key component in any commerce and especially so for e-commerce.

3)Why did we have to come up with a new GUI and not simply fixed the yellow padlock?: Well that’s a tough one. I don’t think its fair on the browser guys. Let me explain, there was no standard when browser guys included the root keys of certain CAs, so under what circumstance can they turn around and say, ok we are kicking your root out now? On what basis? There was no standard in the first place! So that would, imo, leave a huge liability for browser guys. Also it would take a lot longer to get the standard affected as there are already multi-year certs out there on the old SSL. And few other reasons that I can’t remember (yes, old age!).

4)Is this a way of CAs making more money? Well yes. But that was not the intended consequences at the begining. It was merely tring to address a problem, which turned out to be a new product that actually cost more money to implement due to its high standard requirement. (come on guys, give me a break will you, we give all desktop security for free!! let us make money somewhere will you(:SHY) )

more will follow as I get more questions/thoughts…

Melih

Just a note, the web site doesn’t work for me. :-\

Paul

You obviously don’t understand your market, and you sure as heck don’t adhere to the guidelines set out in the cabforum.

Try obtaining an EV SSL certificate for a uk based unincorporated business (that by the way has been around longer than comodo) - as set out in the cabforums guidelines. We have several bank accounts, two merchant accounts, a verifiable physical address and identity, employees, we pay VAT, taxes, business rates etc… but your UK support team insist that “they follow the cabforum guidelines” but yet only issue EV SSL to incorporated businesses (i.e. limited companies, PLC’s etc…), - seemingly that they can look up on the companies house website.

You can set up a limited company very easily, then at no financial risk to yourself, fold the company owing money and get off scott free. You can’t do that if unincorporated.

So basically, you don’t even follow your own guidelines.

Just in case you’re unaware of them:

The CA may issue EV Certificates to Business Entities that do not qualify under the criteria listed for Private Organizations above but that do satisfy the following requirements:

The Business Entity must be a legally recognized entity whose formation included the filing of certain forms with the Registration Agency in its Jurisdiction, the issuance or approval by such Registration Agency of a charter, certificate, or license, and whose existence can be verified with that Registration Agency;

  • The Business Entity must have a verifiable physical existence and business presence;
  • At least one Principal Individual associated with the Business Entity must be identified and validated;
  • The identified Principal Individual must attest to the representations made in the Subscriber Agreement;
  • Where the Business Entity represents itself under an assumed name, the CA must verify the Business Entity’s use of the assumed name pursuant to the requirements of Section 15 herein;
  • The Business Entity and the identified Principal Individual associated with the Business Entity must not be located or residing in any country where the CA is prohibited from doing business or issuing a certificate by the laws of the CA’s jurisdiction;
  • The Business Entity and the identified Principal Individual associated with the Business Entity must not be listed on any government denial list or prohibited list (e.g., trade embargo) under the laws of the CA’s jurisdiction.

So sadly, it’s going to have to be bye bye Comodo - Hello Verisign.

Phil

Firstly let me apologise for the hassle.

EV is a new standard that improves Trust online. However there are many areas where we need to learn and improve as different countries have different standards and ways in which they do business.

I totally sympathise with your position and nothing we do is designed deny EV to any legitimate entity! Actually it was Comodo who spear headed to initiative to make sure EV was accessible to many!

So, if you give us another chance we will see how we can improve our process as well as serve you better.

You can PM me with your details if you wish pls.

thank you for your understanding.

Melih

Phil,
The key phrase is:

“The Business Entity must be a legally recognized entity whose formation included the filing of certain forms with the Registration Agency in its Jurisdiction…”

There is no Registration Agency for sole-proprietors in the UK, so we can not issue EV to sole-proprietors and still be in compliance with the EV Guidelines as currently written. For the record, we agree with the points you have made, and have brought up these concerns through our representative on the CAB Forum. Unfortunately, until the guidelines are amended, our hands are tied.

This is not a situation we like any more than you do and we are doing our best to address these kinds of issues within the Forum. It always helps if end customers like yourself are willing to go to http://www.cabforum.org and provide your feedback directly to the Forum as a whole.