Re: Re: EV SSL Certs

[Cody Rose <cody () killsudo info>]

On Monday, September 12, 2011 12:08:56 PM Coy Hile wrote:
> > On Sun, Sep 11, 2011 at 9:08 PM, Christopher Morrow
> >
> > <morrowc.lists () gmail com> wrote:
> > > what's the real benefit of an EV cert? (to the service owner, not the
> > > CA, the CA benefit is pretty clearly $$)
> >
> > The benefit is to the end user.
> > They see a green address bar  with the company's name displayed.
> >
> > Yeah, company's name displayed -- individuals cannot apply for EVSSL
> > certs.
> >
> >
> > With normal certs, the end user doesn't see a green address bar, and
> > instead of the company's
> > name displayed "(unknown)" is displayed and
> > "This web site does not supply ownership information."  is displayed.
> >
> > If you ask me, hiding the company's name even when present on a
> > non-EVSSL
> > cert is tantamount to saying  "Only EV-SSL certs are really trusted
> > anyways".
> >
> > So maybe  instead of these shenanigans browser makers should have just
> > started displaying a "don't trust this site" warning for any non-EVSSL
> > cert.
> As an academic aside, exactly what would one set on his (internal)
> root CA so that internally-trusted certs signed by that CA would show
> up as EV certs?

The certificate would need a authority specific OID included in the extension 
field and you would have to modify the browser to acknowledge the OID as 
legitmate.

Regards,
 
Cody Rose
NOC & Sys Admin

Attachment: signature.asc
Description: This is a digitally signed message part.