High Assurance / Enhanced Validation

Name of Presenter: Kevin BrownDate: August 5th

Confidential

How Safe Is The Internet ?

• SSL Phishing Attack targets Mountain America Credit Union

• 450 SSL Phishing Attacks were reported in 2005

• 18,480 Phishing incidents were reported in March 2006 alone.

SOURCE: Washington Post, Anti-Phishing Workgroup, January 2006

Where is the Trustworthiness on the Internet ?

• The Certificate Practice Statement (CPS) from one Certificate Authority (CA) to another can differ

• A CA can issue a certificate as long as they follow the policies in their CPS

• There is no industry standard amongst CAs

• No means for online users to identify the type of SSL Cert issued

Where to from here?

thawte is involved with the CA Browser Forum, comprised of:

– American Bar Association– Information Security Committee – Browser manufacturers– Certificate Authorities

The purpose of which is to define industry standard online identity assurance processes.

What is High Assurance (HA) ?

– Delivering an industry standard for Identity Assurance

– Modifying existing online identity assurance processes

– Improved browser representation of online identities

How is HA different from the current Verification and Authentication process for High Auth certs?

• The process is intended to be more comprehensive and standardized across the entire industry.

• The new standards/processes will have to be adhered to by all CAs who wish to offer HA Certs.

• This will encourage greater confidence in CAs and in the processes that are used to vet and issue digital certificates.

7

High Assurance is a Driver for SSL Growth

Green URL shows up forhigh assurance certs

Name of Organization that cert is issued to

CA that performedthe “high assurance” authentication

High Assurance

Low Assurance / Domain Validated

No Green URL

No Organization nameor CA included in UI

High Assurance Certificates will increase brand preference and drive increased SSL adoption

Current beta version subject to change

8

Other Browsers have already made Usability enhancements (Opera, NetScape and FireFox)

Opera

Firefox

Netscape

Green URL Bar Cert Org Name and Country

Identified by CERTIFICATE AUTHORITY

Security Report (single click) CA Org, L, State, C

Certificate Policy OID

Intermediate “HA” CA

thawte cert – no green bar, no Org

Shared Hosting / cert domain mismatch

Continue? Red URL Bar

it’s a trust thing

• As the CA of choice for hundreds of thousands we enable trust on the Internet

• An industry standard for SSL certificates will: – enable companies to earn the trust of their users and customers– instill confidence in people– enable a trustworthy Internet

• HA will give credence to what we do

Thank You – Q&A

Confidential