SSL Certificate Class 2 vs Class 3 vs Class 4
I just got a "Premium EV SSL Certificate" form GoDaddy.com. Apparently as of 8 months ago GoDaddy doesn't provide Class 3 Certificates. (http://support.godaddy.com/groups/go-daddy-customers/forum/topic/what-class-is-my-cert/) They also metntioned the use of certificates to be:
Class 1 for individuals, intended for email.
Class 2 for organizations, for which proof of identity is required.
Class 3 for servers and software signing, for which independent verification and checking of identity and authority is done by the issuing certificate authority.
Class 4 for online business transactions between companies.
Class 5 for private organizations or governmental security
- Isn't EV certificate validation the same as a Class 3 validation? Why are EV certificates not just class 3?
- Do people use Class 4 Certificates? Technically we use our certificate for a B to B SOAP. Which would fall under Class 4. Is a class 4 really needed?
- Where is a list of CA's and the certificates that they issue?
- Since it boils down to encryption is there any major difference between certificates besides validation that you say you are who you are?
- What determines if a CA can give out Class 2 vs Class 3 and Class4 Certificates?
Thanks!
Solution 1:
Marketing hype (and cost). This is not part of the spec. This is from Wikipedia:
http://en.wikipedia.org/wiki/Public_key_certificate
Vendor defined classes
VeriSign uses the concept of classes for different types of digital certificates [3]:
- Class 1 for individuals, intended for email.
- Class 2 for organizations, for which proof of identity is required.
- Class 3 for servers and software signing, for which independent verification and checking of identity and authority is done by the issuing certificate authority.
- Class 4 for online business transactions between companies.
- Class 5 for private organizations or governmental security.
Other vendors may choose to use different classes or no classes at all as this is not specified in the SSL protocol, though, most do opt to use classes in some form.
This is new(ish). They used to actually verify all requests to make sure you were who you said you were. This has gone by the wayside so you can get a cert in a few minutes instead of a few days.
Solution 2:
Any "Certificate Class" value is purely marketing stuff. Technically, a "Certificate Authority" (CA) is just a regular SSL/TLS certificate in browser's preinstalled Certificate Store, except for the fact that these certificates do not include the extra extension flag that is embedded inside pretty much every normal certificate:
Certificate Basic Constraints
Critical
Is not a Certificate Authority
Technically, any CA in your browser's Certificate Store can create additional CA certificates just by not including this extension in the certificate they sign and only the CA policy can avoid that. And the Extended Verification (EV) certificate is just an additional extension flag that says
Certificate Policies
Not Critical
Extended Validation (EV) SSL Server Certificate
Notice the "Not Critical" status; any software is free to ignore this stuff. The only thing that prevents a CA from adding this flag to every certificate that they sign is their own policy. Other than that, it's only a couple of bytes added to the certificate file before signing the certificate.
So basically this all boils down to having security that matches the weakest CA that has ever been accepted into the browsers. The "Certificate Class" exists technically only inside the user visible CA label so it has zero real world difference in the security. Because all CAs are technically the same, it makes nearly zero difference if the actually enforced policy of a single CA is actually sane - this is because potential attacker can always use some another CA to get his fake certificate.
I'd highly recommend watching talk by Moxie Marlinspike called "SSL And The Future Of Authenticity" given in Black Hat USA 2011: http://www.youtube.com/watch?v=Z7Wl2FW2TcA. it helps you to understand why the current CA system is very weak.
I'd recommend purchasing any certificate that gets default warnings to go silent in your client software. If you want nicer badge in the browser UI, purchase any EV certificate. If and when you need more security, always check the certificate fingerprint by yourself; never trust any third party CA to do their stuff properly.
Solution 3:
Not quite. Most reputable Certificate vendors do all of that Class 3 checklist. An EV cert is just an extra thorough version of the same checks, and you can fail those checks for many more reasons that 'regular' ones.