Shopping on line can be easy, simple and save you lots of money. It can also take a lot of your time, frustrate you, and result in unwanted purchases. Now the same can be said for regular high street shopping, but with the vast opportunity presented by the Internet it will pay you to spend a few minutes reading this and understanding how to better optimize your Extended Validation Certificate shopping experience:

1. Compare - without doubt the biggest advantage that the Extended Validation Certificate offers shoppers today is the ability to compare thousands of Extended Validation Certificate at a time. This is a great thing, but not necessarily all the time! Too much can be daunting at times so take advantage of the great comparison sites and where possible let them do the hard work for you.

2. Research - if it has been said it will be on the internet. Ignorance is no longer a justifiable reason for buying the wrong thing. Take the time to research in detail everything that you could possible want to know about

3. Testimonials - don't know anybody that has bought a Extended Validation Certificate? Wrong! If the Extended Validation Certificate is good the internet will let you know. Use the Internet as a friend and get testimonials before you buy.

4. Questions - Got a question about Extended Validation Certificate then search the Forums, FAQ's, Blogs etc. Don't be afraid to ask .....

5. Reputation - Never heard of the company selling Extended Validation Certificate? Don't worry, no reason why you should know every company in the world, but you know someone that does! Use the internet to find out what people are saying about Extended Validation Certificate and build up a picture of their reputation for sales, returns, customer service, delivery etc.

6. Returns - still worried that even after all of the above your Extended Validation Certificate wont be what you want? Check out the returns policy. There is so much competition now that someone, somewhere is bound to offer the terms that you are comfortable with.

7. Feedback - happy with your Extended Validation Certificate then let people know, after all you are depending on others people input in your buying decision, so why not give a little back.

8. Security - check for the yellow padlock on the Extended Validation Certificate site before you buy, and the s after http:/ /i.e. https:// = a secure site

9. Contact - got a question about Extended Validation Certificate, or want to leave a comment then check out the sites contact page. Reputable companies have them and respond.

10. Payment - ready to pay for your Extended Validation Certificate, then use your credit card or PayPal! Be aware of companies that don't accept them, there may be genuine reasons but given the huge amount of choice you have when buying online there is no reason at all not to buy via credit card or PayPal.

Extended Validation Certificates (EV) The term validation as used here should not be confused with the Certification path validation algorithm commonly found in a certificate context. are a special type of X.509 certificate which require more extensive investigation by the Certificate Authority before being issued.

The criteria for issuing EV certificates are defined by the Guidelines for Extended Validation Certificates.The guidelines are produced by the CA/Browser Forum, a voluntary organization whose members include leading CAs and vendors of Internet software, as well as representatives from the legal and audit professions.

Motivation An important motivation for using digital certificates with Secure Sockets Layer was to add trust to online transactions by requiring website operators to undergo vetting with a certificate authority (CA) in order to get an SSL certificate. However, commercial pressures have led some CAs to introduce "domain validation only" SSL certificates for which minimal verification is performed of the details in the certificate.

Most browsers' user interfaces do not clearly differentiate between low-validation certificates and those that have undergone more rigorous vetting. Since any successful SSL connection causes the padlock icon to appear, users are not likely to be aware of whether the website owner has been validated or not. As a result, fraudsters (including phishing websites) have started to use SSL to add credibility to their websites.

By establishing stricter issuing criteria, EV SSL certificates are intended to restore confidence among users that a website operator is a legally established business with a public real-world presence.

Issuing criteria Only CAs who pass an independent audit as part of their WebTrust (or equivalent) review may offer EV, and all CAs globally must follow the same detailed issuance requirements which aim to:

• Establish the legal identity as well as the operational and physical presence of website owner;
• Establish that the website owner has exclusive control over the URL; and
• Confirm the identity and authority of the individuals acting for the website owner, and that documents pertaining to legal obligations are signed by an authorised officer.

User experience Browsers with EV support will display more information for EV certificates than for previous SSL certificates. Microsoft's Internet Explorer 7 is the first browser to be EV-ready. VeriSign has issued an add-on for Mozilla's Firefox browser to provide EV support for certificates issued by its CAs only. When they receive an EV certificate:

• The address bar will turn green.
• A special label will appear that periodically alternates between the name/summarised address of the website owner, and the CA that issued their certificate.

Firefox 3 and Opera have announced that they will provide EV support in future releases, although perhaps with different user interfaces. Until then, EV certificates will appear as a normal SSL padlock.

The Extended Validation (EV) guidelines require participating Certificate Authorities to assign a specific EV identifer, which is registered with the browser vendors who support EV once the Certificate Authority has completed an independent audit and met other criteria. The browser matches the EV identifier in the SSL certificate with the one it has registered for the CA in question: if they match, and the certificate is verified as current, the SSL certificate receives the enhanced EV display in the browser's user interface.

Extended Validation certificate identification EV certificates are standard x.509 digital certificates. The primary way to identify an EV certificate is by referencing the Certificate Policies extension field. Each issuer uses a different object identifier (OID) in this field to identify their EV certificates, and each OID is documented in the issuer's Certification Practice Statement.

{]!Certification Practice Statement|-| Comodo|1.3.6.1.4.1.6449.1.2.1.5.1| Comodo EV CPS, p. 28|-|[Cybertrust|2.16.840.1.114028.10.1.2| Entrust EV CPS, p. 37|-|[GeoTrust|2.16.840.1.114413.1.7.23.3| Go Daddy EV CPS v. 2.0, p.42|-|[Network Solutions|2.16.840.1.114414.1.7.23.3| Starfield EV CPS v. 2.0, p.42|-|[Thawte|2.16.840.1.113733.1.7.23.6| VeriSign EV CPS v. 3.3, p.87|}

Surrounding issues Exclusion of Small Businesses The current EV Guidelines exclude unincorporated associations and individuals from obtaining EV certificates. EV certificates are also likely to be much more expensive (VeriSign's "Secure Site Pro with EV" certificate sells for $2695 as of July 2007).Since EV certificates are being promoted"in IE 7 ... if a website has an Entrust EV SSL Certificate installed, the address bar color will change to green and toggle between the identity of the site and the name of the certificate authority to let the consumer know they can shop with confidence."{{cite web | publisher = Entrust | title = EV SSL Certificate FAQ | url = http://www.entrust.net/ssl-technical/ev_faq.htm | accessdate = 2007-02-05 --> and reported"The colored address bar, a new weapon in the fight against phishing scams, is meant as a sign that a site can be trusted, giving Web surfers the green light to carry out transactions there."{{cite web | publisher = CNet | title = IE 7 gives secure Web sites the green light | url = http://news.com.com/IE+7+gives+secure+Web+sites+the+green+light/2100-1029_3-6155826.html | accessdate = 2007-02-05 --> as a mark of a trustworthy website,some small business owners have voiced concerns{{cite news| last = Richmond| first = Riva| title = Software to Spot 'Phishers' Irks Small Concerns| publisher = Wall Street Journal| date = December 19, 2006| url = http://online.wsj.com/public/article/SB116649577602354120-5U4Afb0JPeyiOy1H_j3fVTUmfG8_20071218.html?mod=rss_free-->that EV certificates give undue advantage toward large businesses.

Vulnerability to Phishing There has been some concern that EV certificates, despite their improved authentication and higher cost, will not prevent phishing attacks{{cite web] and Microsoft conducted a usability study{{cite conference | first = Collin | last = Jackson | coauthors = Daniel R. Simon, Desney S. Tan, Adam Barth | title = An Evaluation of Extended Validation and Picture-in-Picture Phishing Attacks | booktitle = Usable Security 2007 | url = http://www.usablesecurity.org/papers/jackson.pdf --> of the EV display in Internet Explorer 7. The study measured users' ability to distinguish real sites from fraudulent sites when presented with various kinds of phishing, and found that there was no significant difference between users who saw extended validation indicators and those who did not. Users who received training with the Internet Explorer 7 help file were more likely to judge all sites legitimate, regardless of whether they were fraudulent.

Critics of this report have pointed out that the total sample size is inadequate to drawing useful conclusions about the studied subject matter. Each test cell had a mere nine subjects, and as a result the statistically significant variance of 45 (statistically relevant information is generally 5) is actually considerably higher than the differences the paper seeks to report.

See also

• Transport Layer Security (SSL)

Footnotes -->}

References

• CA/Browser Forum Web site
• CA/Browser Extended Validation Guidelines
• Microsoft information on EV in IE7
• CAs approved for EV in Microsoft IE7

Extended Validation Certificates (EV) The term validation as used here should not be confused with the Certification path validation algorithm commonly found in a certificate context. are a special type of X.509 certificate which require more extensive investigation by the Certificate Authority before being issued.

The criteria for issuing EV certificates are defined by the Guidelines for Extended Validation Certificates.The guidelines are produced by the CA/Browser Forum, a voluntary organization whose members include leading CAs and vendors of Internet software, as well as representatives from the legal and audit professions.

Motivation An important motivation for using digital certificates with Secure Sockets Layer was to add trust to online transactions by requiring website operators to undergo vetting with a certificate authority (CA) in order to get an SSL certificate. However, commercial pressures have led some CAs to introduce "domain validation only" SSL certificates for which minimal verification is performed of the details in the certificate.

Most browsers' user interfaces do not clearly differentiate between low-validation certificates and those that have undergone more rigorous vetting. Since any successful SSL connection causes the padlock icon to appear, users are not likely to be aware of whether the website owner has been validated or not. As a result, fraudsters (including phishing websites) have started to use SSL to add credibility to their websites.

By establishing stricter issuing criteria, EV SSL certificates are intended to restore confidence among users that a website operator is a legally established business with a public real-world presence.

Issuing criteria Only CAs who pass an independent audit as part of their WebTrust (or equivalent) review may offer EV, and all CAs globally must follow the same detailed issuance requirements which aim to:

• Establish the legal identity as well as the operational and physical presence of website owner;
• Establish that the website owner has exclusive control over the URL; and
• Confirm the identity and authority of the individuals acting for the website owner, and that documents pertaining to legal obligations are signed by an authorised officer.

User experience Browsers with EV support will display more information for EV certificates than for previous SSL certificates. Microsoft's Internet Explorer 7 is the first browser to be EV-ready. VeriSign has issued an add-on for Mozilla's Firefox browser to provide EV support for certificates issued by its CAs only. When they receive an EV certificate:

• The address bar will turn green.
• A special label will appear that periodically alternates between the name/summarised address of the website owner, and the CA that issued their certificate.

Firefox 3 and Opera have announced that they will provide EV support in future releases, although perhaps with different user interfaces. Until then, EV certificates will appear as a normal SSL padlock.

The Extended Validation (EV) guidelines require participating Certificate Authorities to assign a specific EV identifer, which is registered with the browser vendors who support EV once the Certificate Authority has completed an independent audit and met other criteria. The browser matches the EV identifier in the SSL certificate with the one it has registered for the CA in question: if they match, and the certificate is verified as current, the SSL certificate receives the enhanced EV display in the browser's user interface.

Extended Validation certificate identification EV certificates are standard x.509 digital certificates. The primary way to identify an EV certificate is by referencing the Certificate Policies extension field. Each issuer uses a different object identifier (OID) in this field to identify their EV certificates, and each OID is documented in the issuer's Certification Practice Statement.

{]!Certification Practice Statement|-| Comodo|1.3.6.1.4.1.6449.1.2.1.5.1| Comodo EV CPS, p. 28|-|[Cybertrust|2.16.840.1.114028.10.1.2| Entrust EV CPS, p. 37|-|[GeoTrust|2.16.840.1.114413.1.7.23.3| Go Daddy EV CPS v. 2.0, p.42|-|[Network Solutions|2.16.840.1.114414.1.7.23.3| Starfield EV CPS v. 2.0, p.42|-|[Thawte|2.16.840.1.113733.1.7.23.6| VeriSign EV CPS v. 3.3, p.87|}

Surrounding issues Exclusion of Small Businesses The current EV Guidelines exclude unincorporated associations and individuals from obtaining EV certificates. EV certificates are also likely to be much more expensive (VeriSign's "Secure Site Pro with EV" certificate sells for $2695 as of July 2007).Since EV certificates are being promoted"in IE 7 ... if a website has an Entrust EV SSL Certificate installed, the address bar color will change to green and toggle between the identity of the site and the name of the certificate authority to let the consumer know they can shop with confidence."{{cite web | publisher = Entrust | title = EV SSL Certificate FAQ | url = http://www.entrust.net/ssl-technical/ev_faq.htm | accessdate = 2007-02-05 --> and reported"The colored address bar, a new weapon in the fight against phishing scams, is meant as a sign that a site can be trusted, giving Web surfers the green light to carry out transactions there."{{cite web | publisher = CNet | title = IE 7 gives secure Web sites the green light | url = http://news.com.com/IE+7+gives+secure+Web+sites+the+green+light/2100-1029_3-6155826.html | accessdate = 2007-02-05 --> as a mark of a trustworthy website,some small business owners have voiced concerns{{cite news| last = Richmond| first = Riva| title = Software to Spot 'Phishers' Irks Small Concerns| publisher = Wall Street Journal| date = December 19, 2006| url = http://online.wsj.com/public/article/SB116649577602354120-5U4Afb0JPeyiOy1H_j3fVTUmfG8_20071218.html?mod=rss_free-->that EV certificates give undue advantage toward large businesses.

Vulnerability to Phishing There has been some concern that EV certificates, despite their improved authentication and higher cost, will not prevent phishing attacks{{cite web] and Microsoft conducted a usability study{{cite conference | first = Collin | last = Jackson | coauthors = Daniel R. Simon, Desney S. Tan, Adam Barth | title = An Evaluation of Extended Validation and Picture-in-Picture Phishing Attacks | booktitle = Usable Security 2007 | url = http://www.usablesecurity.org/papers/jackson.pdf --> of the EV display in Internet Explorer 7. The study measured users' ability to distinguish real sites from fraudulent sites when presented with various kinds of phishing, and found that there was no significant difference between users who saw extended validation indicators and those who did not. Users who received training with the Internet Explorer 7 help file were more likely to judge all sites legitimate, regardless of whether they were fraudulent.

Critics of this report have pointed out that the total sample size is inadequate to drawing useful conclusions about the studied subject matter. Each test cell had a mere nine subjects, and as a result the statistically significant variance of 45 (statistically relevant information is generally 5) is actually considerably higher than the differences the paper seeks to report.

See also

• Transport Layer Security (SSL)

Footnotes -->}

References

• CA/Browser Forum Web site
• CA/Browser Extended Validation Guidelines
• Microsoft information on EV in IE7
• CAs approved for EV in Microsoft IE7