Hello Vladimir, The difference is the policy against which the Certificate has been issued - EVSSL Certs are issued according to a standard Certificate Policy outlined by the CA/Browser forum, by Certificate Authorities which have been certified by each of the major browser authors / vendors.
My understanding is that there are two factors that are taken into consideration when signaling to the user that a site is using an EVSSL - the values (probably AKI and Issuer DN) for EVSSL CA Certificates are baked into the browsers, and I believe that some of the CAs also use Certificate Policy values, which are compared against a whitelist that is also baked into the browsers. The EVSSL Certificate policy also mandates that certain fields be present in the Subject DN of the certs. Because of this, I think that your contact at Thawte was slightly mistaken - I believe that the Subject DN fields and inclusion of the certificatePolicy values are NOT standard for a number of the "plain" Server SSL Certs, so these would be extras that are included in EVSSL Certs. From my understanding, there isn't a specific "arrangement" as you put it - any CA can get accredited for EVSSL, as long as a) they issue certificates to the general public and b) they complete an annual audit by a recognised audit firm that attests that the CA follows the EVSSL Certificate policy. Once a CA has that, they can simply apply to each of the browser vendors, provide them with the results of the audit, probably sign a few legal agreements, and the browser vendor will add them to the approved list. So there isn't a "special Root", or anything other than that. As an aside - this isn't an OpenSSL question, unless you are looking for advice on how to code an application to recognise EVSSL Certs. More general questions like this probably belong at the SSL Observatory, or some similar mailing list. Have fun. Patrick. On 2012-06-13, at 12:57 PM, Vladimir Belov wrote: > Hello. > > Many public CAs suggest Extended Validation for certificates of web servers. > These certificates cost much more expensive but in browser we can only see > green address bar instead of yellow or blank. > I thought what is the difference between green and yellow address bars in > browser for certificate's fields. Maybe there are some special extensions > that can be added by CA during signing of certificate request. I had a talk > with a specialist of technical support of Thawte and he said that "There is > no difference in what an Extended Validation certificate technically from all > of our other certificates. It is the cosmetics that they do on a browser. For > an example, the SSL Web Server certificate would have the same properties, > extensions, etc, that our Extended Validation certificates have. The only > difference is that the EV certificates display the web browsers URL address > bar green when a successful secured connection has been made". He also > refused to answer how browser determines what bar to display - green or > yellow? > > So, I think maybe there is a arrangement of CA's companies(Verisign,Thawte > and others) with browser's companies(Microsoft, Opera, Mozilla) that a > special root certificate is use for Extended Validation. Therefore, any web > server's certificate which is signed at the top with this special root cert > is treated as cert with Extended Validation and a green bar is displayed. > > Who has another point of view? > > > Regards, > > Vladimir. > > > [sorry, my english isn't good :)] > This is my talk with Thawte technical support: > > You have been connected to Macario . > Macario : Good day, how may I help you today? > Vladimir Belov: Hello > Vladimir Belov: What is the difference between green and yellow address bars > in browser. What fields in certificate determine what bar will be - green or > yellow? > Macario : Green address bar is when an Extended Validation certificate is > installed as that is the highest level security certificate we offer. > Vladimir Belov: What is the " Extended Validation"? What fields of > certificate it sets? > Macario : It is an extended process that we go through to validate the > certificate information before it is approved. > Macario : One of the main features of this certificate is having the address > bar green. > Macario : If you see a yellow address bar, it is most likely due to having an > old version of your browser installed. > Vladimir Belov: I need technical info, more in detail please > Vladimir Belov: What fields of certificate it sets? > Vladimir Belov: Can you switch me to a technical specialist? For example, > Duke. > Macario : Sure, let me get you over to our technical support group for > further assistance. > Macario has left the session. > Please wait while we find an agent from the transfer TechSupport Thawte > department to assist you. > You have been connected to Clifford. > Clifford: Please hold as I review your information, thank you. > Vladimir Belov: Ok. I am waiting. > Clifford: You have reached Technical Support. What specific technical > information are you looking for please? > Vladimir Belov: What is the " Extended Validation"? What fields of > certificate it sets? > Clifford: Please be more technically specific as to what you mean "fields of > certificate" it sets > Clifford: What fields are you referring to? > Vladimir Belov: What fields of x509 certificate it sets? > Clifford: Unfortunately that does not make sense. X.509 is a base64 format of > any digital certificate, not just SSL. > Clifford: What fields are you looking for? > Clifford: There is no specific term called "fields" on a certificate. Please > describe technically what you are looking for > Vladimir Belov: What will be the difference in fields of x509-certificate > "SSL Web Server Certificates with EV" and for example "SSL123 Certificates"? > "Fields" such as special extensions. Basic fields of x509-certificate are > Subject, Isuuer, NotBefore, NotAfter and so on > Vladimir Belov: Other fields are exyensions such as basicConstraints, keyUsage > Vladimir Belov: Other fields are extensions such as "basicConstraints", > "keyUsage" > Clifford: There is no difference in what an Extended Validation certificate > technically from all of our other certificates. It is the cosmetics that they > do on a browser. For an example, the SSL Web Server certificate would have > the same properties, extensions, etc, that our Extended Validation > certificates have. The only difference is that the EV certificates display > the web browsers URL address bar green when a successful secured connection > has been made. > Vladimir Belov: How browser determines what bar green or yellow to display? > Vladimir Belov: If you say that "the SSL Web Server certificate would have > the same properties, extensions, etc, that our Extended Validation > certificates " > Clifford: Unfortunately that is information that we cannot disclose. > Vladimir Belov: Why? :) > Vladimir Belov: Is this so secret? > Clifford: That is correct. > Clifford: Are there any other questions I can answer for you at this time? > Vladimir Belov: How browser determines what bar green or yellow to display? :) > Clifford: Do you have any other questions at this time as we cannot disclose > this information. > Vladimir Belov: Ok. No. > Clifford: If there is nothing further, thank you for choosing Thawte and have > a great day. > Thank you for using thawte Live Chat. You may now close this window. > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org --- Patrick Patterson Chief PKI Architect Carillon Information Security Inc. http://www.carillon.ca ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
