= Problems with Extended Validation SSL = 1. C4a3: EV depends on WebTrust, does not work with ETSI 1. D6a3: Incompatible to Qualified certificates 1. A1b: Only covers server-authentication 1. Does not address Man-in-the-Browser, even makes it worse by making the user thinks the connection is safe. 1. There does not exist an official version of the EV Guidelines yet, but C4b3 requires to have a URL to the approved version of the EV in the policy. So it is impossible to fulfill. 1. C4c1: Insurance requirements only create a barrier to entry for CA´s, and don´t improve the quality of the certificates. 1. EV guideliens forget about the liability demands of the software vendors for their users 1. Wildcard certificates are not allowed. -> Further income for commercial CA´s, questionable security value. 1. D6a3: The OID´s (1.3.6.1.4.1.311.60.2.1.1, ...) are from Microsoft. 1. The OIDs aren´t documented properly: http://asn1.elibel.tm.fr/cgi-bin/oid/display?oid=1.3.6.1.4.1.311.60.2.1.3&submit=Display&action=display 1. B3a2C: Only registered organisations 1. E12b2 demands a protection of private keys, but there is no possibility for anyone besides a developer to actually do that. 1. E12b2 only demands the maintaining of the secrecy of the private key, but forgets the initial secrecy. This is bad common practice. 1. E12b2 Proof-of-Non-Possession is missing 1. K36 Privacy does not seem to be a major topic for EV 1. K37 is likely problematic. (Systemic flaws like Man-in-the-Browser could be a problem here) 1. AppendixB2c: Privacy issues regarding OCSP over HTTP 1. 4.1.a It's impossible to fullfill all laws 1. http://www.sslshopper.com/article-phishing-with-ev-ssl-certificates.html 1. http://usablesecurity.org/papers/jackson.pdf A website was using a wrong EV certificate: * It lacks a physical address, which is required by the guidelines. * It was signed and issued long before the EV guidelines were approved * The certificate is valid for a period of _two_ years, whereas the guidelines allows maximum _ONE_ year only * The certificate lacks a link to the URL of the approved guideline. * The CA can´t have done a Webtrust for EV audit yet, without approved criteria. * The CPS link in the certificate goes to https://www.website.com/rpa/ which is a website that contains insecure objects. See [[ExtendedValidationSSL]]