Ben Laurie blathering

Verisign’s New Cash Cow

The Register has an article about IE7’s support for an “extended validation certificate”

Verisign is at the RSA Europe Conference in Nice talking up a new breed of online security certificate. The padlock encryption symbol used by browsers has been effectively meaningless for some time, and consumer paranoia surrounding fraud remains a barrier to using online commerce for many.

In response, the verification industry in the form of the CA browser forum has come up with extended validation SSL, where the certificate really is a guarantee of kosher status. Honest.

I can’t find much information about this certificate, but I have two predictions:

  • It will be expensive
  • At least one will get issued to a Bad Guy in ’07

I have to congratulate Verisign and Microsoft for the cunning tactic of advertising this feature by attacking open source. No points to El Reg for lucid reporting, though:

Callan puts Mozilla’s apparent heel-dragging on the new security technology down to the character of its development community. Several community members have been involved in the development process however and are “acutely aware of the most minor details” of the project.

Err, right – so where did the “character of its development community” come into this?


  1. So, just FYI, Tim Callan actually has a blog. He links to a fluffy FAQ about these “extended validation certificates”.

    Comment by David — 26 Oct 2006 @ 13:58

  2. “Extended Validation” (fka “High Assurance”) certs have been supported
    in IE7 since beta 2 (Feb 2006), and have been openly discussed since at
    least Nov 2005:

    The current draft of the guidelines for issuing EV Certs is available
    (in loving detail) here:——_%3D_NextPart_001_01C6CD15.6863DD20&N=EV+Certificate+Guidelines+-+Draft+8-30-06+CLEAN.doc&T=application%2Fmsword

    Comment by Geoffrey Sisson — 26 Oct 2006 @ 16:56

  3. The Register appears to have come spoling for a fight. The actual situation is rather less exciting. Microsoft and Firefox have different internal security processes and different bargaining strengths. These allow Microsoft to commit to a decision on this some months earlier than Microsoft.

    The differences are irrelevant since security is determined by deployment and not press releases. Microsoft has a process that is more finely tuned to delivering a press release more quickly. Is this a suprize? Note that nobody present at the RSA panel was bashing Firefox apart from the reporter. The phrase Tim used is actually one that Vint Cerf once used to describe the IETF.

    IE7 and Firefox 2 both update themselves constantly. Patch deployment is rather less of a concern than in the past.

    Comment by Phill — 30 Oct 2006 @ 19:07

  4. From reading the Netcraft monthly secure server survey it is clear that the largest growth area, for at least a year, has been in domain validated not organisation validated certificates. This is not too surprising when the cost difference is about a tenth for the domain validated certs and yet they both perform the same technical function. This makes this new development more of an attempt to replace one dying cash cow with another.

    Comment by Jay — 4 Nov 2006 @ 23:09

  5. There is info on the EV certificate guidelines at

    Comment by twiSSLer — 19 Jan 2007 @ 21:37

RSS feed for comments on this post.

Sorry, the comment form is closed at this time.

Powered by WordPress