Problems with Extended Validation SSL
C4a3: EV depends on WebTrust, does not work with ETSI
- D6a3: Incompatible to Qualified certificates
- A1b: Only covers server-authentication
- Does not address Man-in-the-Browser, even makes it worse by making the user thinks the connection is safe.
- There does not exist an official version of the EV Guidelines yet, but C4b3 requires to have a URL to the approved version of the EV in the policy. So it is impossible to fulfill.
- C4c1: Insurance requirements only create a barrier to entry for CA´s, and don´t improve the quality of the certificates.
- EV guideliens forget about the liability demands of the software vendors for their users
Wildcard certificates are not allowed. -> Further income for commercial CA´s, questionable security value.
- D6a3: The OID´s (1.3.6.1.4.1.311.60.2.1.1, ...) are from Microsoft.
The OIDs aren´t documented properly: http://asn1.elibel.tm.fr/cgi-bin/oid/display?oid=1.3.6.1.4.1.311.60.2.1.3&submit=Display&action=display
- B3a2C: Only registered organisations
- E12b2 demands a protection of private keys, but there is no possibility for anyone besides a developer to actually do that.
- E12b2 only demands the maintaining of the secrecy of the private key, but forgets the initial secrecy. This is bad common practice.
- E12b2 Proof-of-Non-Possession is missing
- K36 Privacy does not seem to be a major topic for EV
- K37 is likely problematic. (Systemic flaws like Man-in-the-Browser could be a problem here)
AppendixB2c: Privacy issues regarding OCSP over HTTP
- 4.1.a It's impossible to fullfill all laws
http://www.sslshopper.com/article-phishing-with-ev-ssl-certificates.html
A website was using a wrong EV certificate:
- It lacks a physical address, which is required by the guidelines.
- It was signed and issued long before the EV guidelines were approved
- The certificate is valid for a period of _two_ years, whereas the guidelines allows maximum _ONE_ year only
- The certificate lacks a link to the URL of the approved guideline.
- The CA can´t have done a Webtrust for EV audit yet, without approved criteria.
The CPS link in the certificate goes to https://www.website.com/rpa/ which is a website that contains insecure objects.