EV certificates and individuals
I've decided to take a leap and launch a new project -- which will be announced Monday. But today I want to talk about EV certificates, individuals and why the CA infrastructure is broken.
I started out with this latest site by trying to request an EV certificate -- you know the trust-inspiring green-bar, which says clearly who the site is run by. If you've never seen an ev cert take a look at https://www.verisign.com and how their SSL certificate looks. Its a better design than a normal SSL certificate and requires websites to prove who they are run by.
For my latest project, I need to run the site as an individual, not through my company as I normally do for commercial projects. This is where the problems started.
I applied for an EV cert so the site would clearly say 'Run By Kevin McArthur'... and here comes the rub, the cert was declined due to the fact I was an individual. Apparently, individuals are ineligible for an EV certificate... so I could have left it there, but I noticed firefox still shows the Run By on blue colored (non-ev) certificates, but they're usually "Run By (Unknown)" because most Certificate Authorities only do domain control validation and do not validate the full certificate subject. They only check that you have control over the domain name. Which -- for most sites is probably ok. But I wanted people to know that I, as an individual, run this new site so I went through the validation procedure. That is I had my certificate's subject fully validated, and provided the ID required to back up the claim. The CA issued my fully-validated certificate, and to my surprise Firefox still shows 'Run By (unknown)' even though the O= , L=, ST=, C=, etc fields are in-fact validated.
So I've now got a proper cert, went through the trouble of validating my identity and unless you dig into the certificate, you'll never know that its more trustworthy than one that just had domain control validation. This is a pretty epic failure by the firefox development team that there is no distinction. Its a pretty epic failure by CABForum that I can't get an EV certificate as an individual.
So on Monday, when I launch my new site know that I tried to provide the best security experience possible, and that I have a plan to make it all better in the future...