ssl-certificate – 扩展验证SSL证书是否有效?

每次SSL证书进行续订时,我的提供商都会尝试向我出售扩展验证证书.最大的区别是FireFox和Safari中的绿色地址栏的成本是四倍或五倍.

据推测,利益(以及IE8或Chrome中未显示绿栏的原因)是对请求方的更深层次的认证.但是我可以检测到Verisign自己的所有SSL证书的最低要求(从CPS开始)之间的实际差异很小(第3.2.2节):

At a minimum VeriSign shall:

Determine that the organization exists
by using at least one third party
identity proofing service or
database, or alternatively,
organizational documentation issued by
or filed with the applicable
government agency or competent
authority that confirms the existence
of the organization,

• Confirm by
telephone, confirmatory postal mail,
or comparable procedure to the
Certificate Applicant certain
information about the organization,
that the organization has authorized
the Certificate Application, and that
the person submitting the Certificate
Application on behalf of the
Certificate Applicant is authorized to
do so. When a certificate includes
the name of an individual as an
authorized representative of the
Organization, the employment of that
individual and his/her authority to
act on behalf of the Organization
shall also be confirmed.

Where a
domain name or e-mail address is
included in the certificate VeriSign
authenticates the Organization’s right
to use that domain name either as a
fully qualified Domain name or an
e-mail domain.

和EV要求(附录F14C):

(C) Business Entities
To verify a Business Entity’s legal existence and identity VeriSign verifies that the Entity is engaged in business under the name submitted by Applicant in the Application. VeriSign verifies that the Applicant’s formal legal name as recognized by the Registration Authority in Applicant’s Jurisdiction of Registration matches Applicant’s name in the EV Certificate Request. VeriSign records the specific unique Registration Number assigned to Applicant by the Registration Agency in Applicant’s Jurisdiction of Registration. Where the Registration Agency does not assign a Registration Number, the Applicant’s date of Registration will be recorded. In addition, the identity of a Principal Individual associated with the Business Entity is verified in accordance with Section 14(b)(4) of the EV Guidelines.

所以:

1)EV证书是否真的激发了用户之间的信任?

2)EV证书真的有助于打击phshing /欺诈/供应商列出的任何东西吗?

3)如果他们实际执行了最低要求,那么不包括所有EV的东西吗?我错过了什么?

六年过去了,现在是时候从2015年的角度重写这个傻瓜了(在商业CA领域有更多的个人经验).

首先,就EV证书激发信任而言,答案是(仍然)“不,不是真的”. EV证书的独立研究并未显示出典型消费者的有意义影响. Peter Gutmann的着作“Engineering Security”在很大程度上是针对CA的800页咆哮,它在很多方面都提到了EV证书在整个文本中影响安全用户行为的有效性,其中密度最高的部分标题为“EV证书:PKI-me-hard”从第72页开始.

在论证的另一方面,从证明EV证书效力获得最大收益的各方(出售它们的CA)也无法提出任何令人信服的证据.我可以挖掘的“best” collection of EV case studies在无根据的断言上是有趣的,并且在任何有用的数据上都很糟糕.

至于EV证书是否真的对欺诈行为有用,我会再次回到Peter Gutmann:

The introduction […] of so-called high-assurance or extended validation (EV) certificates […] is simply a case of rounding up twice the usual number of suspects — presumably somebody’s going to be impressed by it, but the effect on phishing is minimal since it’s not fixing any problem that the phishers are exploiting.

换句话说,你肯定并且肯定地知道,你正在与之交流的网站是乌兹别克斯坦塔什干的“Honest Achmed’s Drug Bazaar and Fishmarket,Inc”,并没有说明Achmed是否会去用你的信用卡信息和私人信息做上下铺. EV证书也没有说明对组织的安全实践有用:虽然ashleymadison.com使用通配符DV证书,但它(并且)完全有能力获得EV证书,并且每个人的私人peccadillos仍然可以下载如果他们一直在运行EV证书.

最后,对于它的价值,EV证书是在(某些)更多验证之后发布的,超出了对域验证(DV)或组织验证(OV)证书所做的验证.正在验证的内容实际上并不是那么重要,但您可以合理地确定某人已经遇到了一些合理的麻烦,以使绿色栏中的组织看起来存在.

翻译自:https://serverfault.com/questions/76961/are-extended-validation-ssl-certificates-effective

转载注明原文:ssl-certificate – 扩展验证SSL证书是否有效?