Databases
StackOverflow2013
Postsdbo
PO
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. PO
    text
    copied!<p>Extended validation is mostly useful from a user-interface perspective. It's not so useful if your client doesn't have anything in its user interface to display the certificate. These verifications are not integrated by default in the JSSE, possibly because there is little demand for it (lack of Java browsers). (By the way, you should verify the certificate you get upon connection, not check with a first connection and connect with another, just in case).</p> <p>The specifications are defined by the <a href="http://www.cabforum.org/Guidelines_v1_3.pdf" rel="nofollow">CA/browser forum</a>.</p> <p>The OID values and root CA certificate fingerprints are hard-coded into browsers (see <a href="http://hg.mozilla.org/mozilla-central/file/eab4a81e4457/security/certverifier/ExtendedValidation.cpp" rel="nofollow"><code>security/certverifier/ExtendedValidation.cpp</code> in Firefox, used to be in in <code>security/manager/ssl/src/nsIdentityChecking.cpp</code></a>). There is also a <a href="http://en.wikipedia.org/wiki/Extended_Validation_Certificate" rel="nofollow">list on Wikipedia</a> for reference, although in principle you should check the policy OIDs with each CA.</p> <p>To analyse the extensions, it might be useful to use <a href="http://www.bouncycastle.org/" rel="nofollow">BouncyCastle</a> if <code>X509Certificate.getExtensionValue()</code> isn't enough.</p> <p>One problem you will have to watch out for is that the hard-coded SHA-1 fingerprints of the root CA certificates need to match exactly those certificates in the trust store. Some CAs renew their CA certificates once in a while in the bundles that are shipped with most browsers/OS/JREs: make sure you're using the same.</p>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload