7. 7
Certificates of Internet Trust
Type of
certificate
Domain
validated?
Subject
Name
Validated?
Address
Validated?
Pad Lock
Displayed
by
Browser?
Green
address
bar or other
special
treatment?
Relative
price
DV X X $
OV X X X X $$
EV X X X X X $$$
Source: CA/Browser Forum
16. 16
Certificates of Internet Trust
Type of
certificate
Domain
validated?
Subject
Name
Validated?
Address
Validated?
Pad Lock
Displayed
by
Browser?
Green
address
bar or other
special
treatment?
Relative
price
DV X X $
OV X X X X $$
EV X X X X X $$$
Source: CA/Browser Forum
22. 22
How Certificate Transparency Works
Certificate Transparency (CT) works within the existing Certificate Authority (CA)
infrastructure as a way to provide post-issuance validation of an entity’s
authorization for the issuance of SSL Certificates. The certificate issuance process is
shown below with new steps introduced by CT highlighted in blue.
1. Server operator purchases certificate from CA
2. CA validates server operator
3. CA creates a precertificate
4. CA logs the precertificate with the log server, which returns a signed certificate
timestamp (SCT)
5. CA issues SSL Certificate
6. SSL Certificate may include signed certificate timestamp (SCT)
7. Browser validates SSL Certificate during the TLS handshake
8. Browser validates the SCT provided during the TLS handshake, either through
OCSP stapling, through a TLS extension, or from information embedded in the
certificate
9. Browser makes connection with the server
10. SSL Certificate encrypts all data as it is passed from the browser to the server
Credit to: www.digicert.com
27. 27
Should the Browsers Govern Internet Trust?
They are the visible face to
Internet Users (green bar)
They have name recognition
They rely on CA performance
They have the compute
resources
They exact leverage using the
Browser Trust Store
They are not independent
They are not Certification
Authorities
They are not Auditors
They are commercially
motivated
Their fairness can be
questioned
YES NO