CF: What's an extended validation?

SH: On EV SSL is a kind of certifi cate that I blogged about recently and you can see that at shrinkster/jkx and this talks about the evolution of SSL certificates and how - right now if I visit Franklins.net and I see a little lock-up there because I am under SSL. Right there, that lock says the information is encrypted on the wire but people have started to associate that lock with a sense of trust that, oh, if I see the lock, it's okay. But that doesn't necessarily imply I am looking at franklins.net. I could be looking at Franklinsevilphisher.net. EVS SSL is a new kind of extended validation or what they call a High-Assurance SSL certificate. And these certificates are a new kind of certificate...an emerging standard...probably be ratified in the next couple of months. It's supported in IE 7. Now there is an example. You can go and download it. And you can see it at woodgrovebank.net and if you visit a site that has one of these extended validation certificates, your address bar is going to turn bright green and you are going to get an additional lock that's going to shift back and forth between the name of the organization, not the URL, but the actual name of the organization that the certificate is for and then the certificate issuer and it will kind of cycle back and forth.

CF: That's at woodgrovebank.com, by the way.

SH: Is it?

CF: Yeah.

SH: Oh my bad...hang on one second. Yeah, you are absolutely right, it's woodgrovebank.com and if you have installed the test certifi cate, you will see in IE 7 that address bar turn bright green. It's just an example of what the certifi cate experience will look like. And what that means to like a bank or any kind of an e-commerce site is that they're going to have to go through some additional auditing to prove that they are in fact who they say they are because like I just got a certifi cate for hanselman.com from godaddy.com. I think it took, I don't know, 10 minutes to get an SSL certificate hooked up. It was crazy, I just went up, got the cert, asked my ISP for a request, confirmed that I, in fact, own the domain and I had a cert.

CF: I use instantssl.com. 30 bucks.

SH: It's easy to get secure wire access but they want to make it more diffi cult to say that I am, in fact, Woodgrove bank or Hanselman bank and I think that within a year or two we are going to see all of the different browsers supporting that. Firefox has indicated that they will support it. Opera has indicated that they will support it.

CF: Usually they are using - right now they are using like Dun & Bradstreet. You have to have a D&B account and that's an easy way for them to verify your address and all that blah, blah, blah...

SH: Right. They want to prove that you are a real organization.

CF: Some actually - they used to come out to your site and take pictures. Did you know that?

SH: Did they?

CF: Yeah.

SH: Like auditing?

CF: Yeah, they used to require that they would have to come out and take a photo to make sure you are who you say you are.

SH: Now see some people think that it's not fair to the little guy. They are saying that that's going to make it more difficult for the little guy to...

CF: Well, they don't do that anymore.

SH: Yeah?

CF: Yeah.

SH: There are a number of different things that people should be checking out if they want to learn about InfoCard. There is a great video up on channel 9 at www.shrinkster.com/jkw and you can also learn about protecting your identity online. There are good kinds of things you can do and bits of information about yourself that are low, medium, and high sensitivity at www.shrinkster.com/jkt and then you can also like I said learn about EV SSL at my blog at www.shrinkster.com/jkx. A lot of people have been commenting that they think this is a way for the certificate authorities to get rich by requiring an expensive certificate and I am not sure whether I think that's the case but there is a good conversation going on in the comments up on the blog there so check that out. I reason that the way EV SSL makes sense in the context of InfoCard is that both of these things are giving an entirely new visual cue and visual metaphor for what it means to visit a secured site. So there's going to become kind of an expectation on the part of the users that just as they look for that lock, they are going to start looking for that InfoCard. They are going to start looking for that bright green address bar and that new warning whether or not a site is secure and I think it's conceivable that there will be a time when browsers will come with a default that will only allow certificates that are of this higher assurance. It's not something that's going to happen tomorrow but it will definitely happen in the next year or so, I think.

CF: Awesome. Well, hey, Scott, that's a show. Thanks a lot. What a great show!

SH: Thank you.

CF: I don't know what else to say about it. It's a great topic and I can't wait to see it evolve.

SH: Yeah, I really encourage people to check it out; go install the .NET Framework 3.0. I am running the September CTP but you can also get the RC1. The September CTP is a little bit newer but you can check all of the stuff, all about CardSpace at www.shrinkster.com/jkq up at Netfx3.com and we'll have all these links up on the Hanselminutes site.

CF: All right and until then we'll see you next week on Hanselminutes.