Web-based businesses face a crisis in consumer confidence because of phishing scams. But because of a new kind of SSL certificate, Web sites will be able to definitively demonstrate their identity, and customers will be able to confirm the identity of trusted sites.

Extended Validation SSL (EV SSL) represents an attempt by browser and SSL vendors to fight phishing.

Developed by the CA/Browser Forum, EV SSL combines a new category of SSL certificates with a Web-browser interface that lets end users easily see whether a site has a valid certificate.

The EV SSL standard goes into great detail on three main authentication legs: organization, domain and requestor.

The certificate authority must establish that the requesting organization is a legally established business or nonprofit on record with the local government. It must establish this organization's ownership or right to use the Web domain in question, and it must establish that the requesting individual is employed by the organization and has the authority to obtain SSL certificates. Each authentication step depends on independent, outside information obtained from reliable third-party sources.

Once a certificate authority completes this authentication, it may issue a certificate with EV SSL status. This certificate operates exactly like a traditional SSL certificate. Browsers not built to recognize EV certificates (including Internet Explorer 6, Firefox 2 and their predecessors) behave as with non-EV certificates. New EV-compatible browsers, however, display these certificates in highly visible and informative ways, starting with Internet Explorer 7.

Internet Explorer 7 has added interface conventions to enhance site owner identification, most obviously the green address bar. When an Internet Explorer 7 browser accesses a page with an EV SSL certificate, it changes the address bar's background to green, which indicates a site has undergone high-level identity authentication.

Internet Explorer 7 also contains the security status bar. On pages with EV SSL certificates, it displays the organization name, which comes directly from the certificate. Because the certificate authority verified this name and the browser displays it in its own interface, visitors can rely on it.

From: A new SSL certificate is on the way, Network World, 01/08/07.