Fraudulent certificates in the wild — again
Posted Jan 21, 2013 9:51 UTC (Mon) by anselm
In reply to: Fraudulent certificates in the wild — again
Parent article: Fraudulent certificates in the wild — again
All that matters in there is one other bit set (in what field I don't know), in the BofA cert that says "this is an extended validation cert", which means that the cabal of CA vendors promise that they actually validate who the cert belongs to, and they set the rules that prohibit anyone other than that handful of (I think 5) vendors from issuing any certs that set that "extended validation" bit
Actually, there is no »extended validation cert« bit. The way a browser recognises an EV certificate is that it has a list of all the vendors (there's about 25 of them now, not 5) that issue EV certificates, together with a special OID – different for each vendor – that that particular vendor will reference in an EV certificate's Certificate Policies extension field. When a certificate from one of the EV certificate vendors comes in, the browser checks that certificate's CP extension field against the list entry for that vendor, and if there is a match, then the certificate is considered an EV certificate.
This tricky method makes it nearly impossible for vendors outside the cabal – or indeed entities who operate their own internal CAs – to offer certificates that look like EV certificates and are treated by browsers as such. If you want to join the cabal, you essentially need to convince the browser makers (by filing large amounts of expensive paperwork) that you're crossing every t and dotting every i, and they will include your magic OID in their list of EV certificate issuers.
to post comments)