On Thu, Apr 3, 2008 at 10:35 AM, Dusty Wilson wrote:
> Is there a way to make our own EV SSL Certificates?

I'll rephrase it since I haven't heard any responses. Is there
something special about an EV SSL cert or is it just a regular old SSL
cert with an extra attribute or flag? I've searched all over the net
for a resource to help me on this, but I've hit a dead end. Any
suggestions?

Thanks,
Dusty


--
To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

On 05/04/08 10:32, Dusty Wilson wrote:
> On Thu, Apr 3, 2008 at 10:35 AM, Dusty Wilson wrote:
>
>> Is there a way to make our own EV SSL Certificates?
>>
>
> I'll rephrase it since I haven't heard any responses. Is there
> something special about an EV SSL cert or is it just a regular old SSL
> cert with an extra attribute or flag? I've searched all over the net
> for a resource to help me on this, but I've hit a dead end. Any
> suggestions?

I hadn't heard of Extended Validation SSL Certificates before, but
reading the Wikipedia entry
, it
sounds like it isn't something that you can really do yourself, but from
the article: "/The primary way to identify an EV certificate is by
referencing the Certificate Policies extension field/", so you could
experiment with that, presumably adding a custom certificate authorities
to your internal clients web browsers...

Good luck.

Gavin

--

Gavin Westwood
Solutium

http://www.solutium.net - Going the extra mile to provide a fast,
helpful, reliable Web Hosting service.

> > On Thu, Apr 3, 2008 at 10:35 AM, Dusty Wilson wrote:
> > > Is there a way to make our own EV SSL Certificates?
> >
> On Sat, 2008-04-05 at 04:32 -0500, Dusty Wilson wrote:
> > I'll rephrase it since I haven't heard any responses. Is there
> > something special about an EV SSL cert or is it just a regular old SSL
> > cert with an extra attribute or flag? I've searched all over the net
> > for a resource to help me on this, but I've hit a dead end. Any
> > suggestions?
> >
On Sat, Apr 5, 2008 at 4:49 AM, Shane Chrisp wrote:
> Maybe have a look at www.cacert.org. Im not sure if there 'is' any
> difference but if any place would know, they should, and its worth being
> a member there to get free ssl certs anyway.


I'm both an existing user and a financial contributor to the
cacert.org project. If anyone out there doesn't know about them, give
them a look! Free certs are great, but their paid certs are worth
every penny. You pay them to verify your identity and in exchange,
you can make as many certs as you want for a specified time. Support
these guys if you can. Also, AFAIK their certs are trusted in every
browser but IE.


I haven't seen any mention of EV SSL on their site. I may just shoot
them an email to see if they have any input on this. Thanks for your
suggestion... I don't know why I didn't think of it myself.

Thanks,
Dusty


--
To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

> On Sat, Apr 5, 2008 at 10:32 AM, Dusty Wilson wrote:
> > I'll rephrase it since I haven't heard any responses. Is there
> > something special about an EV SSL cert or is it just a regular old SSL
> > cert with an extra attribute or flag? I've searched all over the net
> > for a resource to help me on this, but I've hit a dead end. Any
> > suggestions?
> >
On Sat, Apr 5, 2008 at 5:39 AM, Frederik Kriewitz wrote:
> There's no real difference on the technical site between the normal and EV
> certs. In Firefox 3 beta 5 EV OIDs are hard coded.
> So you will have to recompile FF and deploy the modified Version.

Oh no. That's the nail in the coffin right there. Does anyone know
of any plans to have these *not* hard-coded? I can imagine that maybe
the goal is to prevent some sort of accidental trust, but hard-coding
just doesn't feel right at all to me.

Thanks Frederik; your response on this was very helpful.

(following left in for the benefit of the list)
> Currently there are 7 EV OIDs listed:
> From mozilla/security/manager/ssl/src nsIdentityChecking.cpp:
> struct nsMyTrustedEVInfo
> {
> char *dotted_oid;
> char *oid_name; // Set this to null to signal an invalid structure,
> // (We can't have an empty list, so we'll use a dummy
> entry)
> SECOidTag oid_tag;
> char *ev_root_sha1_fingerprint;
> char *issuer_base64;
> char *serial_base64;
> CERTCertificate *cert;
> };
>
> static struct nsMyTrustedEVInfo myTrustedEVInfos[] = {
> {
> // OU=Go Daddy Class 2 Certification Authority,O=\"The Go Daddy Group,
> Inc.\",C=US
> "2.16.840.1.114413.1.7.23.3",
> "Go Daddy EV OID a",
> SEC_OID_UNKNOWN,
> "27:96:BA:E6:3F:18:01:E2:77:26:1B:A07:77:70:02:8F:20:EE:E4",
> "MGMxCzAJBgNVBAYTAlVTMSEwHwYDVQQKExhUaGUgR28gRGFkZH kgR3JvdXAsIElu"
> "Yy4xMTAvBgNVBAsTKEdvIERhZGR5IENsYXNzIDIgQ2VydGlmaW NhdGlvbiBBdXRo"
> "b3JpdHk=",
> "AA==",
> nsnull
> },
> {
> // E=info@valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 2
> Policy Validation Authority,O=\"ValiCert, Inc.\",L=ValiCert Validation
> Network
> "2.16.840.1.114413.1.7.23.3",
> "Go Daddy EV OID a",
> SEC_OID_UNKNOWN,
> "31:7A:2A0:7F:2B:33:5E:F5:A1:C3:4E:4B:57:E8:B78:F1:FC:A6",
> "MIG7MSQwIgYDVQQHExtWYWxpQ2VydCBWYWxpZGF0aW9uIE5ldH dvcmsxFzAVBgNV"
> "BAoTDlZhbGlDZXJ0LCBJbmMuMTUwMwYDVQQLEyxWYWxpQ2VydC BDbGFzcyAyIFBv"
> "bGljeSBWYWxpZGF0aW9uIEF1dGhvcml0eTEhMB8GA1UEAxMYaH R0cDovL3d3dy52"
> "YWxpY2VydC5jb20vMSAwHgYJKoZIhvcNAQkBFhFpbmZvQHZhbG ljZXJ0LmNvbQ==",
> "AQ==",
> nsnull
> },
> {
> // E=info@valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 2
> Policy Validation Authority,O=\"ValiCert, Inc.\",L=ValiCert Validation
> Network
> "2.16.840.1.114414.1.7.23.3",
> "Go Daddy EV OID b",
> SEC_OID_UNKNOWN,
> "31:7A:2A0:7F:2B:33:5E:F5:A1:C3:4E:4B:57:E8:B78:F1:FC:A6",
> "MIG7MSQwIgYDVQQHExtWYWxpQ2VydCBWYWxpZGF0aW9uIE5ldH dvcmsxFzAVBgNV"
> "BAoTDlZhbGlDZXJ0LCBJbmMuMTUwMwYDVQQLEyxWYWxpQ2VydC BDbGFzcyAyIFBv"
> "bGljeSBWYWxpZGF0aW9uIEF1dGhvcml0eTEhMB8GA1UEAxMYaH R0cDovL3d3dy52"
> "YWxpY2VydC5jb20vMSAwHgYJKoZIhvcNAQkBFhFpbmZvQHZhbG ljZXJ0LmNvbQ==",
> "AQ==",
> nsnull
> },
> {
> // OU=Starfield Class 2 Certification Authority,O=\"Starfield
> Technologies, Inc.\",C=US
> "2.16.840.1.114414.1.7.23.3",
> "Go Daddy EV OID b",
> SEC_OID_UNKNOWN,
> "AD:7E:1C:28:B0:64:EF:8F:60:03:40:20:14:C30:E3:37:0E:B5:8A",
> "MGgxCzAJBgNVBAYTAlVTMSUwIwYDVQQKExxTdGFyZmllbGQgVG VjaG5vbG9naWVz"
> "LCBJbmMuMTIwMAYDVQQLEylTdGFyZmllbGQgQ2xhc3MgMiBDZX J0aWZpY2F0aW9u"
> "IEF1dGhvcml0eQ==",
> "AA==",
> nsnull
> },
> {
> // CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert
> Inc,C=US
> "2.16.840.1.114412.2.1",
> "DigiCert EV OID",
> SEC_OID_UNKNOWN,
> "5F:B7:EE:06:33:E2:59B:AD:0C:4C:9A:E63:8F:1A:61:C7C:25",
> "MGwxCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbm MxGTAXBgNVBAsT"
> "EHd3dy5kaWdpY2VydC5jb20xKzApBgNVBAMTIkRpZ2lDZXJ0IE hpZ2ggQXNzdXJh"
> "bmNlIEVWIFJvb3QgQ0E=",
> "AqxcJmoLQJuPC3nyrkYldw==",
> nsnull
> },
> {
> // CN=QuoVadis Root CA 2,O=QuoVadis Limited,C=BM
> "1.3.6.1.4.1.8024.0.2.100.1.2",
> "Quo Vadis EV OID",
> SEC_OID_UNKNOWN,
> "CA:3A:FB:CF:12:40:36:4B:44:B2:16:20:88:80:48:39:19 :93:7C:F7",
> "MEUxCzAJBgNVBAYTAkJNMRkwFwYDVQQKExBRdW9WYWRpcyBMaW 1pdGVkMRswGQYD"
> "VQQDExJRdW9WYWRpcyBSb290IENBIDI=",
> "BQk=",
> nsnull
> },
> {
> // OU=Class 3 Public Primary Certification Authority,O=\"VeriSign,
> Inc.\",C=US
> "2.16.840.1.113733.1.7.23.6",
> "Verisign EV OID",
> SEC_OID_UNKNOWN,
> "74:2C:31:92:E6:07:E4:24:EB:45:49:54:2B:E1:BB:C5:3E :61:74:E2",
> "MF8xCzAJBgNVBAYTAlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW 5jLjE3MDUGA1UE"
> "CxMuQ2xhc3MgMyBQdWJsaWMgUHJpbWFyeSBDZXJ0aWZpY2F0aW 9uIEF1dGhvcml0"
> "eQ==",
> "cLrkHRDZKTS2OMp7A8y6vw==",
> nsnull
> },
> {
> // OU=Sample Certification Authority,O=\"Sample, Inc.\",C=US
> "0.0.0.0",
> 0, // for real entries use a string like "Sample INVALID EV OID"
> SEC_OID_UNKNOWN,
> "00:11:22:33:44:55:66:77:88:99:AA:BB:CCD:EE:FF:00:11:22:33"
> "Cg==",
> "Cg==",
> nsnull
> }
> };
>


--
To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

On Thu, Apr 03, 2008 at 10:35:27AM -0500, Dusty Wilson wrote:
> Is there a way to make our own EV SSL Certificates?
>
> I like the fact that when you're on a site with an EV SSL Cert in
> Firefox 3 that the location bar turns green and shows extra
> information. My goal is to be able to provide that same thing for our
> internal users on our official/internal sites. These certs would be
> signed by our company's certificate authority (or make a new EV
> certificate authority if necessary).

Maybe this will be helpful (never tried it myself):
http://urbansensors.wordpress.com/20...alidation-ev-s
sl-certificates/

--
+---------------------------------------+
| -o) http://wanted.eu.org/
| /\\ Message void if penguin violated
+ _\_V Don't mess with the penguin


--
To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

* Dusty Wilson [2008-04-05 09:11-0400]:
>
> I'm both an existing user and a financial contributor to the
> cacert.org project. If anyone out there doesn't know about them, give
> them a look! Free certs are great, but their paid certs are worth
> every penny. You pay them to verify your identity and in exchange,
> you can make as many certs as you want for a specified time. Support
> these guys if you can. Also, AFAIK their certs are trusted in every
> browser but IE.
>

CAcert is great, I'm also a user. However, their certs are *not* trusted
in every browser but IE. They have not completed their 3rd party audit
that would enable them to be included in Firefox/Mozilla products. They
are available in debian in the ca-certificates package, but without that
installed, or if you have a user not running Debian, then you have to
install their root otherwise the user is prompted (and I've heard that
on XP it flat-out refuses to continue).

The following are the latest on the status of inclusion:

https://bugzilla.mozilla.org/show_bug.cgi?id=215243
http://wiki.cacert.org/wiki/InclusionStatus

Micah

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iQCVAwUBR/fEmnSQXEWKX02hAQLMXwQAj0m3b7gliDq5yZzR+n1oiifwjMoE wsAy
ODBJs3eAxHR+zDsWQd4Rsk6fWM/IG4tAuSJZ9bzbnMG6xtUDD5wQ+Z6zYmKg6oOn
GjXF4Wbl5ywdaJ8gteaKsmuuNoKtu5MZawBBi+EqxYcUo3BBHW hoJYrN1J748/HK
wDyQODVLnqY=
=Sqba
-----END PGP SIGNATURE-----

> * Dusty Wilson [2008-04-05 09:11-0400]:
> >
> > I'm both an existing user and a financial contributor to the
> > cacert.org project. If anyone out there doesn't know about them, give
> > them a look! Free certs are great, but their paid certs are worth
> > every penny. You pay them to verify your identity and in exchange,
> > you can make as many certs as you want for a specified time. Support
> > these guys if you can. Also, AFAIK their certs are trusted in every
> > browser but IE.
> >

On Sat, Apr 5, 2008 at 1:27 PM, Micah Anderson wrote:
> CAcert is great, I'm also a user. However, their certs are *not* trusted
> in every browser but IE. They have not completed their 3rd party audit
> that would enable them to be included in Firefox/Mozilla products. They
> are available in debian in the ca-certificates package, but without that
> installed, or if you have a user not running Debian, then you have to
> install their root otherwise the user is prompted (and I've heard that
> on XP it flat-out refuses to continue).

Ah ha! I'm a heavy Debian user and don't really live outside of it.
I do know I used Firefox on Windows one time and the cert wasn't
trusted. I had assumed it may have been an old version of Firefox to
blame. Thank you for the correction.

> The following are the latest on the status of inclusion:
>
> https://bugzilla.mozilla.org/show_bug.cgi?id=215243
> http://wiki.cacert.org/wiki/InclusionStatus


--
To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

> On Thu, Apr 03, 2008 at 10:35:27AM -0500, Dusty Wilson wrote:
> > Is there a way to make our own EV SSL Certificates?
> >
> > I like the fact that when you're on a site with an EV SSL Cert in
> > Firefox 3 that the location bar turns green and shows extra
> > information. My goal is to be able to provide that same thing for our
> > internal users on our official/internal sites. These certs would be
> > signed by our company's certificate authority (or make a new EV
> > certificate authority if necessary).

On Sat, Apr 5, 2008 at 11:15 AM, Marcin Sochacki wrote:
> Maybe this will be helpful (never tried it myself):
> http://urbansensors.wordpress.com/20...alidation-ev-s
> sl-certificates/

Thanks for this link, Marcin. This makes it look promising for those
with IE deployed and used. Good link to have. I believe it'll be a
good stepping stone to move forward. Thanks.


--
To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org