EV cert support for Firefox
Categories
IE7 introduced support for Extended Validation SSL certificates (aka High Assurance certificates). Any time you hit a site with one of these certs, the address bar changes colour to green. I've previously posted links to a couple of sites Microsoft host that allows you to test this.
While scouring the net looking for ways of integrating this into a project that hosts IE's web browser, I came across this article on Wikipedia, which contained this link to a plugin to enable the nice green address bar in Firefox. And it's written by VeriSign, which is nice of them (considering other CA's certs are going to be in competition with them).
Unfortunately, its support is not as complete as IE7. Currently, it only knows about EV certs from VeriSign, Thawte and GeoTrust. (Wikipedia lists 7 other CA's that support EV.) But it's a good start.
And if you're interested in how EV certs are implemented, just download the Firefox .xpi file and change the extension to .zip. You can see it's got a certs folder, containing various new root certs for the CAs. I don't pretend to know why they need new root certs, or why the old ones can't be used. The chrome folder has a .jar file, which can again be renamed to .zip and extracted. This contains a bunch of css files, some images and some Javascript.
evcextension.js is the file with all the goodies. And it's here where you can really see how messy the EV implementation is. Each CA has their own OID that marks a cert as being EV. (OID is an object identifier. Think of it as the way a cert identifies each of it's properties.) And since each CA has their own, they're all different. So, the process is to walk the certificate chain. If the certificate contains one of the recognised OIDs, the hash of the chained root cert must match the expected hash of the OID matching CA's root cert.
Fairly simple process, but messy - the addin must know about all CAs, all of their root certs and the OID they choose to identify their version of EV. (And there are other parts to implement too, such as changes to the revocation list checking.) So any change to a CA root cert, or adding new, known CA's requires an update to the addin.
The above linked Wikipedia article lists 10 CA's. Theoretically, it should be easy to add support for all of them. Just add the OID's and the matching root certs. Of course, finding all the root certs might be a bit tricky, especially when there looks like there are new ones that need to be downloaded and installed. I wouldn't like to mess here - just leave it to the people who know about this stuff.
Of course, the nice test site run by Microsoft doesn't work because the Firefox addin doesn't know about Microsoft's test root cert. That is something that I wouldn't mind hacking.
So, now we know how to support EV certs. We've got to do a lot of leg work and find out all the CA's that support it, what their OID's are and what their root certs are. If any of them change, we won't get notified. If we do find out they've changed, it's an update to our implementation (and we'd have to be careful about putting that data in config - we don't want it hacked so that any cert can be labeled EV).
Wouldn't it be nice if Internet Explorer exposed its implementation for the rest of us to hook into, especially when hosting the WebBrowser control?