Download PDF version here.

• What is an EV (Extended Validation) SSL certificate?
• Why is there a need for Extended Validation certificates?
• Is Extended Validation a new Standard?
• Who is defining the new guidelines for these Extended Validation SSL Certificates?
• What is the Certification Authority/Browser Forum?
• What kind of Information does the EV SSL certificate display?
• Will certificate provider names be shown in the toolbar?
• Will I need to get additional assessments to get an EV certificate?
• Terms like "High Assurance", "Extended Validation", "Domain only", "Low Assurance" and "Enhanced Validation" are all being used in describing different types of SSL certificates. What's the difference between these SSL certificates?
• Will companies require new EV certificates? Is there a timeframe around the switchover?
• How will EV SSL certificates increase consumer confidence?
• How is a consumer expected to distinguish between the different types of SSL certificates?
• What is the change-over process, and can I change providers?
• What are the benefits of EV SSL certificates to Website owners?
• Why do I need an EV Certificate on my site?
• Is my existing High Assurance SSL certificate still sufficient for protecting online transactions?
• What if I need to protect many web sites with EV certificates?
• Will I be able to upgrade my existing High Assurance SSL certificate to get a green bar in the Browser?
• Are EV SSL Certificates available for purchase now?

Q: What is an EV (Extended Validation) SSL certificate?

A: An Extended Validation (EV) SSL certificate works with new, secure Web browsers to clearly identify a website's organizational identity. For example, if you use Internet Explorer 7.0, the address bar will turn green to identity this site as having an EV SSL certificate. It will also display the padlock as an icon of trust. However, the address bar will not turn green if the website does not have an EV SSL certificate.

Q: Why is there a need for Extended Validation certificates?

A: Until now, there have been no generally-accepted standards for verifying the organizational information that is contained in some certificates, so uncertainty has arisen in users' minds over the significance of the padlock icon. This confusion has been compounded by the growing practice of website operators to display padlock icons within the site contents.

Furthermore, the URLs that commonly appear in browser address bars have become obscure and users can no longer use these to assure themselves that they are transacting with the website operator that they expect. Therefore, there arose a need to display trusted identifying information about the operator of the website, and to do it in a way that clearly indicated to users the identity of the business entity with whom they were doing business. This had to be done in a way that established minimum standards for the trustworthiness of that identifying information. Hence, the major browser suppliers and a group of certification authorities (CAs) came together to develop these minimum standards. At the same time, some browser suppliers developed user interface standards for displaying that information to emphasize its trustworthiness.

With these combined developments, it is expected that the Web users who engage in sensitive transactions with their governments, financial service providers, health care providers, etc. will look for these new cues as part of their personal Web use routine.

Q: Is Extended Validation a new Standard?

A: Yes. It has been introduced to protect your website against phishing and other fraudulent online activities. Since most Internet crimes rely on false identity, EV certificates require that organizations go through a rigorous validation process that meets the Extended Validation guidelines established by the Certification Authority/Browser (CA/B) Forum to combat these threats. In addition to confirming domain name ownership, the process includes authenticating the authority of the contact person requesting the certificate, verification of the business with government or third party business registries, and other methods to assure the legal and physical existence of the business.

Q: Who is defining the new guidelines for these Extended Validation SSL Certificates?

A: The guidelines for the new EV SSL certificates are being defined by the Certification Authority/Browser Forum. Forum members are browser companies including Microsoft, Mozilla, Opera and Konqueror (KDE) in partnership with Certificate Authorities, with participation from other organizations representing banking and legal associations.

Q: What is the Certification Authority/Browser Forum?

A: The Certification Authority Browser Forum (CA/Browser Forum) is a voluntary organization of leading certification authorities (CAs) and vendors of Internet browser software and other applications. Members of the CA/Browser Forum have worked closely together in defining the guidelines and means of implementation for the Extended Validation (EV) SSL Certificate standard as a way of providing a heightened security for Internet transactions and creating a more intuitive method of displaying secure sites to Internet users.

Q: What kind of Information does the EV SSL certificate display?

A: Identity confirming company information will include, but is not limited to: company name, domain name, government business registration number, business address.

Q: Will certificate provider names be shown in the toolbar?

A: Yes, when you use an EV certificate, your business' legal name and Cybertrust's name as your certificate authority will display next to the web address, alternating every few seconds.

Q: Will I need to get additional assessments to get an EV certificate?

A: In the past, inconsistent information in online business and internet domain name databases was either concluded to be reasonable by our registration agents by discussing the differences with our customers, or by other CAs that use automated certificate factories ignoring the anomalies altogether. The EV Guidelines require that we must be able to locate consistent information about an EV certificate applicant. Inconsistent information needs to be updated, or more thoroughly documented than a phone call. New businesses will be subject to tougher checks than established businesses. Actual government records will be consulted rather than the business databases used solely today that may contain information that is self-reported by a business. In certain cases, applicants may need to obtain the opinion of their lawyer, accountant, or bank to demonstrate aspects of their trustworthiness as a legitimate business.

However, the EV certificate process was designed from the start to identify risk and examine risk more thoroughly. The vast majority of businesses that have been operating in a legitimate manner for years will find the EV process to be a minor increase in effort. Those businesses that have public records and business database entries with conflicts, or public information that conflicts with the details in the certificate request will face a more critical and time-consuming examination of the differences. The primary goal of the EV certificate investigation is to determine when a business is trying to impersonate another business. Inconsistent information will cause extra work for our applicants. To be ready for EV certificates, Cybertrust recommends that our customers examine their incorporation records, business database entries, and domain name registrations for consistency.

Q: Terms like "High Assurance", "Extended Validation", "Domain only", "Low Assurance" and "Enhanced Validation" are all being used in describing different types of SSL certificates. What's the difference between these SSL certificates?

A: The main difference between these certificates is their respective levels of identity verification:

"Domain only" certificates, also known as "low assurance" certificates, only verify domain ownership. Unfortunately, these certificates provide virtually no identity assurance whatsoever since domain validation ignores the name of the business.

"High Assurance" certificates refer to certificates that include identity validation from a Certification Authority using currently established and accepted vetting processes. These SSL certificates are seen as significantly superior to domain only SSL certificates because users can trust that an objective third party - a certification authority, has verified the identity of the website. These certificates will not cause browsers to show a special appearance that means a rigorous examination of the business identity in the certificate was completed.

"Extended Validation" (EV) SSL certificates are the newest option for eMerchants as these SSL certificates require the most stringent verification processes as outlined in the guidelines developed by CA/B Forum. The advantage of these the next generation high assurance SSL certificates is that these certificates work with the new secure browsers to include a new visual indicator that confirm the site's identity. No certificates issued in the past will have this ability. There has never been an EV certificate.

Q: Will companies require new EV certificates? Is there a timeframe around the switchover?

 A: Consumers, not companies, will demand that all websites that do business on the Internet have EV certificates. When consumers realize that EV Certificates create a clear and certain proof that they are connected to the site that they intended, and the owner of that site can be identified and located, these consumers will abandon transactions with businesses that use weak certificates and take their business to a strongly authenticated company identity that displays an EV certificate on its secure website. When businesses are looking to establish a partnering arrangements, their confidence in a strong certificate will be a factor in choosing among candidates.

At the end of January 2007, Microsoft released its new Vista operating system. Internet Explorer 7 browsers on Vista will display the green and red bars described above. From now on, consumer behavior will encourage your business to beat or meet your competitor's ability to visibly prove your concern for the security of your customers and partners.

Cybertrust has been actively engaged in the development of the guidelines for issuing these new certificates, and we are ready to enable your business with an extended validation certificate so that you're ready as consumers upgrade to Microsoft's new operating system. Since there is nothing in an EV certificate that breaks the security used in current browsers, you can move to EV ahead of the curve with Cybertrust.

Q: How will EV SSL certificates increase consumer confidence?

A: High profile incidents of fraud and phishing scams have made Internet users very concerned about identity theft. Before they enter sensitive data, they want proof that the website can be trusted and their information will be encrypted. Without it, they might abandon their transaction and do business elsewhere. EV SSL Certificates provide third-party verification using a highly visual display that gives consumers confidence and builds trust in e-commerce.

Q: How is a consumer expected to distinguish between the different types of SSL certificates?

A: The presence of a verifiable High Assurance SSL certificates provides reassurance to consumers. Low assurance certificates, by contrast, are not inherently trusted by browsers. EV certificates will be recognizable by different browser behavior.

Q: What is the change-over process, and can I change providers?

A: Cybertrust understands that customers requesting EV certificates will be presented with information requirements more extensive than had been posed to them by many commercial Certification Authorities in recent years. Current Cybertrust certificate customers won't experience quite the same shock of the new procedures as customers of CAs that use weak automated processes, because Cybertrust's verification procedures have always been rigorous and performed by human professionals.

Regardless of whether your organization is a new or an existing customer, Cybertrust will provide step by step guidance to assure success in obtaining EV certificates. As soon as we receive your request for an EV certificate, we will provide a complete menu of information needs and sources that will assure prompt approval. We will provide tips on where to find the required information. Upon receiving your validating information, Cybertrust will reply with either a grant of EV certificates or a list of recommended actions needed to obtain that grant.

We encourage EV requesters who had already obtained conventional certificates from commercial providers other than Cybertrust to try out our EV certificates process. Your existing certificate provider is prevented from using any information it knows about you to shortcut the issuance of an EV certificate, so if you are looking for a certificate provider who is committed to making EV certificates easy to obtain, we invite you to experience the Cybertrust difference.

Q: What are the benefits of EV SSL certificates to Website owners?

A: An EV SSL Certificate helps visitors complete secure transactions with confidence because your site has the "green bar" in IE 7 and your competitor's site does not. That's a competitive advantage that translates into higher conversion and more revenue.

The new certificates can also help:

• Make it more difficult to mount phishing schemes and other online identity fraud attacks using SSL certificates;
• Assist companies that may be the target of phishing attacks or online identity fraud by providing them with a tool to better identify themselves and their legitimate Websites to users;
• Assist law enforcement in investigations of phishing and other online identity fraud, including where appropriate, contacting, investigating, or taking legal action against the perpetrator.

Q: Why do I need an EV Certificate on my site?

A: Today's fastest growing threat is phishing, where a fraudulent website impersonates a legitimate business to attract unsuspecting visitors into divulging personal information. The increasing awareness to this problem has caused consumers to not trust buying online.

To stem this erosion of trust, EV SSL certificates, for the first time, let customers visibly see that they are doing business with an identity verified business. Using an EV SSL certificate will assure them that your website really is who it claims to be.

Q: Is my existing High Assurance SSL certificate still sufficient for protecting online transactions?

A: SSL certificates will continue to provide security encryption to make sure that data being transferred between your website and the browser can not be stolen. Your current high assurance SSL certificate will continue to be viewed as an identity assurance certificate far superior to low assurance or domain only validated certificates. What varies is the level of identity assurance that comes with these SSL certificates The new EV certificates provide a browser based confirmation only to users who have the new browsers. However, today and in the future, your high assurance SSL certificate still provides excellent identity assurance to users who do not have the "EV enabled" browsers yet.

Q: What if I need to protect many web sites with EV certificates?

 A: Cybertrust recognizes that EV certificate enrollment involves several activities that have never been done before that will take your time away from managing your business. Cybertrust has always offered certificate solutions that cut out repetitive verification for businesses that need to protect many web brands. Our CorporateSSL solution establishes trusted staff from your business as certificate approvers that can issue certificates independently. Cybertrust experts will complete the entire investigation needed for your business and your web domain names and enable your own staff with the privilege to immediately issue EV certificates. By performing these checks once per year and issuing certificates to the people in your business that are trusted to issue certificates, Cybertrust not only delivers low total cost of ownership and rapid turnaround time for EV certificates on the market, but also lets you get back to the business of running your business.

Q: Will I be able to upgrade my existing High Assurance SSL certificate to get a green bar in the Browser?

A: Absolutely. Cybertrust can offer you a quick migration path from your existing SSL certificate, regardless of issuer. Simply contact us to find out more.

Q: Are EV SSL Certificates available for purchase now?

A: Yes, Cybertrust EV SSL certificates are ready for purchase now.

To purchase single EV SSL certificates, including Cybertrust's exclusive EV SSL Starter Kit, visit Extended Validation SSL Server Certificates. If you are not sure how many EV SSL certificates you will want to purchase, contact your Cybertrust account representative.

If you don't have a Cybertrust account representative, call 888 396 8348 (toll-free) or 703 480 8348 (direct). If you are located outside of North America, look for the phone number of a Cybertrust location nearest you in Cybertrust's Office Directory.

You also may reach us through Cybertrust's EV SSL Certificate Registration Page.