Thursday, February 4, 2010

SSL Certificates Error

SSL Certificates

Securing Your Online Business
Entrust Certificate Services Customer Service
Get Technical
Entrust EV SSL Certificates FAQ
This section provides the answers to the most commonly asked questions about the Entrust EV SSL Certificates issued by Entrust. If you have a question that is not answered here or in the enrollment guide, please contact Entrust support.
What is 'Extended Validation'?
What is an Extended Validation (EV) SSL Certificate?
What is the CA/Browser Forum?
Which browsers will support Entrust EV SSL Certificates?
How will Entrust EV SSL Certificates increase consumer confidence?
What can I do to secure my site and increase consumer confidence today?
Who can purchase an Entrust EV SSL Certificate?
How can I buy an Entrust EV SSL Certificate?
Can I upgrade my existing Entrust SSL Certificates to the new Entrust EV SSL Certificates?
What is the maximum lifetime for an Entrust EV SSL Certificate?
How will Entrust EV SSL Certificates be different from the current Entrust SSL Certificates?
Are my existing Entrust SSL Certificates still sufficient for securing online transactions?
Should I switch to Entrust EV SSL Certificates?
How will older browsers without EV support behave on sites with Entrust EV SSL Certificates?
How will browsers respond when they visit a website with an invalid certificate or phishing site?
I operate my own CA based on Entrust software, can I issue EV certificates myself?
I'm a website operator. How will Entrust EV SSL Certificates affect me?
"Couldn't browsers just turn the address bar green with the current Entrust SSL certificates?"
Can I get an Entrust EV SSL wildcard certificate?
Entrust EV SSL Certificate Revocation Information & Reporting Policy
What is 'Extended Validation'? (top)
'Extended Validation' refers to rigorous, industry standard validation methods to be used by a CA before issuing an SSL certificates.
The guidelines for Extended Validation are published by the CA/Browser Forum here.
What is an Extended Validation (EV) SSL Certificate? (top)
An Extended Validation (EV) SSL Server Certificate is a new category of SSL certificate created by an industry consortium called the CA/Browser forum. This new category of certificate was conceived in response to the growing threat of phishing attacks with a goal of increasing consumer confidence in online transactions.
EV certificates will be issued to websites only after rigorous validation of their identity. Web browsers will reflect this higher level of identity assurance with prominent and distinct trust indicators, such as the green address bar in Internet Explorer and Mozilla Firefox, and advanced green indicators in the latest versions of Opera and Google Chrome.
What is the CA/Browser Forum? (top)
The CA/Browser Forum is a group of Certification Authority service providers, web browser manufacturers, and other industry participants that came together to look at ways to reduce the threat of phishing.
Entrust chairs this group and strongly supports its work. More information can be found at the CA/Browser Forum website.
Which browsers support Entrust EV SSL Certificates? (top)
The majority of browsers in use today display green trust indicators for EV. Some of the major browsers supporting EV are Internet Explorer (version 7 and above), Mozilla Firefox version 3, Opera version 8, Safari version 3.2, Google Chrome and Flock version 2.
How will Entrust EV SSL Certificates increase consumer confidence? (top)
With numerous malicious phishing incidents and online fraud, consumers are concerned with identity theft and would like reassurance that the site they are entering their personal data into can be trusted. If consumers feel the site is not trusted and their personal information is unencrypted, they will leave the site and take their transactions to another vendor.
Entrust EV SSL Certificates will help increase consumer confidence by displaying prominent and consistent trust indicators while consumers are conducting online transactions. Now the lock is now at the top of the browser window instead of the bottom and if a website has an Entrust EV SSL Certificate installed, the address bar color will display green and will display the identity of the site and the name of the certificate authority to let the consumer know they can shop with confidence.
What can I do to secure my site and increase consumer confidence today? (top)
Current website security best practices are still valid - Extended Validation does not change that. Some things to consider while you're waiting for EV SSL certificates to be available:
Are you displaying your Entrust site seal on protected pages?
How are you authenticating your users?
How are you monitoring for fraud?
What access control mechanisms do you have in place?
Who can purchase an Entrust EV SSL Certificate? (top)
A broad range of business entities are now eligible for EV certificates:
Private Organization: A non-governmental legal entity (whether ownership interests are privately held or publicly traded) whose existence was created by a filing with (or an act of) the Incorporating Agency in its Jurisdiction of Incorporation.
Government Entity: A government-operated legal entity, agency, department, ministry, or similar element of the government of a country, or political subdivision within such country (such as a state, province, city, county, etc).
Business Entity: Any entity that is neither a Private Organization nor a Government Entity. Examples include general partnerships, unincorporated associations and sole proprietorships.
How can I buy an Entrust EV SSL Certificate? (top)
Entrust EV SSL Certificates will be available first for purchase through Entrust Certificate Services website at www.entrust.net, and at a later date through our Enhanced interface for customers managing larger pools of certificates.
Can I upgrade my existing Entrust SSL Certificates to the new Entrust EV SSL Certificates? (top)
Yes.
Please note that customers taking advantage of these promotions will need to be validated under the new EV guidelines before certs can be issued.
What is the maximum lifetime for an Entrust EV SSL Certificate? (top)
Entrust EV SSL Certificates have a maximum of lifetime of 2 years (24 months).
How will Entrust EV SSL Certificates be different from the current Entrust SSL Certificates? (top)
The primary difference will be in what happens before the Entrust EV SSL Certificates are even issued. Before issuing any Entrust SSL Certificate, Entrust performs checks to 'vet' or validate the identity of the requestor.
Under the new EV model, validation of an entity (e.g. a company or web site operator) requesting an Entrust EV SSL Certificate will be performed using industry standard guidelines, as defined by the CA/Browser Forum. This is different from current practices in that different Certification Authorities have very different validation standards. Although the majority of Certification Authorities have rigorous validation practices, not all do and this undermines the overall security of SSL for consumer transactions.
Certificates issued using 'Extended Validation' will include a reference to an EV-specific certificate policy. Each Certification Authority will have a unique policy and Policy Object Identifier (OID). Browsers supporting EV will behave differently when they encounter a certificate issued under an EV policy OID that they recognize.
Note that at a technical level, Entrust EV SSL Certificates will not be different from standard X.509 certificates and will be backwards compatible with older browsers. Entrust EV SSL Certificates will include more information on the subject (the entity the certificate was issued to) - including jurisdiction of incorporation.
Are my existing Entrust SSL Certificates still sufficient for securing online transactions? (top)
From a cryptographic perspective, yes your current Entrust SSL Certificates are still going to result in encrypted SSL sessions.
However, the greatest threat to online transactions is not cryptographic in nature - it is phishing. Phishing preys on consumer's inability to discern between trustworthy sites and imposter sites.
The EV initiative is targeted at making it easier for consumers to make that distinction. From a usability perspective, non-EV certificates will have decreasing effectiveness as consumers adopt the new browsers and come to expect the strong trust indicators provided by Entrust EV SSL Certificates while conducting transactions.
Should I switch to Entrust EV SSL Certificates? (top)
If you are operating a website that conducts ecommerce transactions or if you collect sensitive or private information you should be considering switching to Entrust EV SSL Certificates.
Phishing attacks are a real threat to the trust consumers have placed on the internet and Entrust EV SSL Certificates can only be part of the solution if they are deployed and used widely.
How will older browsers without EV support behave on sites with Entrust EV SSL Certificates? (top)
Browsers without EV support will continue to behave as they do today. As long as the certificate was issued by a CA trusted by the browser, the lock will close as expected.
In most cases, website support for both older browsers and newer EV browsers will require the installation of a cross-certificate on the web server which was issued by a root CA already embedded in older browsers. The cross-certificate will certify a newer EV specific issuing CA as trusted, and the actual web server site certificate will be issued from that issuing CA.
How will browsers respond when they visit a website with an invalid certificate or phishing site? (top)
The response may vary depending on the type of browser but, in general, a red address bar could indicate that you that you have accessed a known phishing site.
Red alert blocks immediate access to reported phishing sites, although users can proceed to the site if they wish.
A red address bar could also indicate that there may be a problem with the certificate or that it may not be issued from a trusted Certificate Authority.
Internet Explorer includes prominent warnings to users and will recommend users not visit the page.
If the user ignores the warnings and continues the address bar goes red and red warning 'security badges' appear.
I operate my own CA based on Entrust software, can I issue EV certificates myself? (top)
Yes, if you own an Entrust-rooted CA, you will be able to issue Entrust EV SSL Certificates once your CA is recognized by the EV-ready browsers. This will either entail cross-certification with a CA already in the EV root embedding programs of the major browsers or that you submit your own root into those programs.
In both cases you will need to undergo an audit under the CA/Browser Forum guidelines.
I'm a website operator. How will Entrust EV SSL Certificates affect me? (top)
For website operators some changes to consider include more details about the subscriber will be placed into the certificate including:
Domain name
Organization name
Jurisdiction of Incorporation
City or town
State or province (if any)
Country - mandatory
Some CSR generating tools may not allow you to add this information to your certificates. However, Entrust will be able to add this information to your Entrust EV SSL Certificates once your certificate order has been placed.
Please note that EV standards do not permit the use of wildcard certificates which can impact the number of certificates you may be required to purchase.
"Couldn't browsers just turn the address bar green with the current Entrust SSL certificates?" (top)
While it would be possible to enable more prominent security features in browsers based on current SSL certificates, the problem is with the inconsistent level of validation behind current certificates.
Some CA's today perform much less rigorous validation checks on companies requesting SSL certificates which introduce the risk that a phishing site could acquire a valid SSL certificate.
With that risk in mind, the CA/Browser Forum set out to establish a consistent, common set of validation guidelines which participating CA's could follow, and which browser manufacturers could rely on before turning on more prominent security features such as the green address bar.
Can I get an Entrust EV SSL wildcard certificate? (top)
No, the EV SSL guidelines do not permit wildcard certificates. In some cases the use of subjectAltName extensions can provide the same benefits as a wildcard certificate and this is permitted within the EV guidelines.
Entrust EV SSL Certificate Revocation Information & Reporting Policy (top)
Under what conditions will my Entrust EV SSL Certificate be revoked?
Entrust MUST revoke an Entrust EV SSL Certificate it has issued upon the occurrence of any of the following events:
The Subscriber requests revocation of its Entrust EV SSL Certificate.
The Subscriber indicates that the original Entrust EV SSL Certificate Request was not authorized and does not retroactively grant authorization.
Entrust obtains reasonable evidence that the Subscriber's Private Key (corresponding to the Public Key in the Entrust EV SSL Certificate) has been compromised, or that the Entrust EV SSL Certificate has otherwise been misused.
Entrust receives notice or otherwise become aware that a Subscriber violates any of its material obligations under the Subscriber Agreement.
Entrust receives notice or otherwise become aware that a court or arbitrator has revoked a Subscriber's right to use the domain name listed in the Entrust EV SSL Certificate, or that the Subscriber has failed to renew it domain name.
Entrust receives notice or otherwise become aware of a material change in the information contained in the Entrust EV SSL Certificate.
A determination, in the CA's sole discretion, that the Entrust EV SSL Certificate was not issued in accordance with the terms and conditions of these Guidelines or the CA's EV Policies.
If Entrust determines that any of the information appearing in the Entrust EV SSL Certificate is not accurate.
Entrust ceases operations for any reason and has not arranged for another EV CA to provide revocation support for the EV Certificate.
Entrust's right to issue Entrust EV SSL Certificate under these Guidelines expires or is revoked or terminated [unless the CA makes arrangements to continue maintaining the CRL/OCSP Repository].
Entrust's Private Key for that Entrust EV SSL Certificate has been compromised.
Entrust receives notice or otherwise become aware that a Subscriber has been added as a denied party or prohibited person to a blacklist, or is operating from a prohibited destination under the laws of the CA's jurisdiction of operation.
What is Entrust's EV Certificate Problem Reporting and Response Capability?
ReportingIf you wish to revoke your Entrust EV SSL Certificate for any of the above reasons, you may contact Entrust by email at evssl@entrust.com or by filling in our online complaint form.
In addition to Entrust EV SSL Certificate revocation, Subscribers, Relying Parties, Application Software Vendors, and other third parties can contact Entrust by email at evssl@entrust.com or by filling in our online complaint form for reporting complaints or suspected Private Key compromise, EV Certificate misuse, or other types of fraud, compromise, misuse, or inappropriate conduct related to EV Certificates.
InvestigationEntrust will begin investigation of all Certificate Problem Reports within twenty-four (24) hours and decide whether revocation or other appropriate action is warranted based on at least the following criteria:
The nature of the alleged problem;
Number of Certificate Problem Reports received about a particular EV Certificate or website;
The identity of the complainants (for example, complaints from a law enforcement official that a web site is engaged in illegal activities have more weight than a complaint from a consumer alleging they never received the goods they ordered); and
Entrust EV SSL Certificates
Entrust SSL certificates provide encryption-based security of sensitive information for websites and are the solution of choice for IT administrators charged with protecting their customer's transactions. Entrust SSL products are designed to meet and exceed even the most rigorous enterprise security standards, including guidelines stipulating scalability, manageability, and cost effectiveness while providing robust 256k-bit end-to-end encryption of customer interactions.
Entrust offers a range of SSL related products, including EV SSL certificates, which effortlessly integrate into an organization's existing e-commerce platform to provide a superior standard of web-based transactional security. Extended Validation SSL Certificates denote the integrity of a website by requiring Entrust, the SSL certificate provider, to verify the identity and domain of the site owner prior to issuing an SSL secure server certificate. This additional layer of validation is signaled by a green address bar in major browsers, use of the https SSL protocol, and a badge from Entrust indicating the advanced level of security - all resulting in a higher level of consumer trust.
For over a decade, Entrust has been a leading provider of e-business solutions that secure online communications and transactions for enterprises.
var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");
document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));
var pageTracker = _gat._getTracker("UA-3485345-2");
pageTracker._setDomainName("entrust.net");
pageTracker._setAllowLinker(true);
pageTracker._initData();
pageTracker._trackPageview();

1 comment: