what's the real benefit of an EV cert? (to the service owner, not the
CA, the CA benefit is pretty clearly $$)
The benefit is to the end user.
They see a green address bar with the company's name displayed.
Yeah, company's name displayed -- individuals cannot apply for EVSSL certs.
With normal certs, the end user doesn't see a green address bar, and
instead of the company's
name displayed "(unknown)" is displayed and
"This web site does not supply ownership information." is displayed.
If you ask me, hiding the company's name even when present on a non-EVSSL
cert is tantamount to saying "Only EV-SSL certs are really trusted anyways".
So maybe instead of these shenanigans browser makers should have just
started displaying a "don't trust this site" warning for any non-EVSSL cert.
As an academic aside, exactly what would one set on his (internal)
root CA so that internally-trusted certs signed by that CA would show
up as EV certs?
The certificate would need a authority specific OID included in the extension
field and you would have to modify the browser to acknowledge the OID as
NOC & Sys Admin
This is not possible without changing browser source code and recompiling
(or debugging/editing the browser binary).
The IDs of certificates that are allowed to sign EVSSL CAs are
hard-wired in the browser.
In some browsers, this also means it's impossible for an end user to
"untrust" or remove
an EVSSL CA.
It also means you cannot as a site adminsitrator, make an
administrative decision to internally
add an internal EVSSL CA, without customizing every browser.
If you ask me... it's shoddy software design. EVSSL CAs should be
but none of the major browsers provide the knobs to manually add or
access to/from a trusted CA.
Thanks. I saw something about it on TechNet. (I'm using Windows for
my internal CA). I'm guessing those instructions may work for IE
only. If I find anything interesting, I'll let you know.