Trilight Zone

[tricore]

Apart from the actual security provided by digital certificates in a Web environment, in terms of encryption of data and authentication of participants, they are meant to be a confidence-boosting measure.

That little lock icon in the browser and the "https" in the address tell the user that the communications are secure. Users can also click through some dialog boxes linked from the icon to see specifics of the certificates for the site they are viewing and make a decision about the authenticity of that site. Of course, 99% of users never do any such thing, and probably very few even notice the relatively obscure lock icon.

Even the value of the lock icon has been diminished lately. There have been recent examples of scammers obtaining a certain kind of SSL certificate, called a domain-authenticated SSL certificate, that can be obtained with very little in the way of verification of the bona fides of the applicant. Even if the user takes care to look for the lock symbol, he or she can be fooled by such a certificate.

A new standard hopes to address this situation with a new class of certificate. Some reports indicate that the final official name for these certificates will be "Extended Validation," but they are more widely known as "High Assurance" SSL certificates.

The new standard comes from collaboration between the major certificate authorities such as VeriSign and GeoTrust, major domain name registrars, browser developers including Firefox and Internet Explorer, and the American Bar Association Information Security Committee. While the details of the standard appear to be roughly finalized, based on published reports, these certificates are not yet available. The latest reports still indicate that they should be available "real soon now."

The major characteristics of these certificates will be greatly increased scrutiny of the organizations applying for them, and much more prominent display of certificate details to the user in next-generation browsers.

When you apply for a conventional SSL certificate these days, a reputable certificate authority will attempt to verify the information represented in the certificate application using a variety of techniques, from e-mail and faxing to database lookups and phone calls. There is no standardization of process across certificate authorities.

With the new High Assurance/Extended Validation certificates, a process will be defined as part of the standard. It will include verifying the identity of the applying organization, verifying that applicant has legal authority to order an SSL certificate for the organization, and also that the organization itself is a legitimate business, not a shell corporation or false front. It's likely that these procedures will make such certificates more expensive than conventional certificates, but they'll still be a necessary measure for reputable businesses.

The new standard also defines browser behavior for sites issuing High Assurance/Extended Validation certificates. The address bar of the browser will turn green when someone visits a secured site, and the company name and domain name will appear on the right-hand side of the address bar. Internet Explorer 7 will probably be the first browser released to support this standard. Browsers not specifically compatible with these certificates will treat them the same as conventional SSL certificates. For some pictures of how Internet Explorer 7 treats such certificates, see this entry of the Microsoft Internet Explorer Weblog.

Of course, there is an ironic limit to what certificates like this can do to fight fraud. Users have to know, instinctively, to look for the certificate information where it should be present. If presented, for example, with a fraudulent bank site that has no certificates or indications of them, users must recognize that something is amiss. Nothing else may stop them from entering confidential information and surrendering their identity. This sort of protection is the realm of other products and services.