...the industry. The companies have involved the American Bar Association as an independent affiliate to help with the guidelines, representatives from several certification authorities said.
"We have come far and think that by mid-year we will actually have a working product," Bailey said. VeriSign and Comodo also expect to have the new type of certificate available next year.
New procedures
WebPay, provider of the Click&Buy — an online payment service that works with Internet phone company Skype and Apple's European version of iTunes — is waiting for the certificate change, said Fabian Siegel, chief technology officer of the Zurich, Switzerland-based company.
"This is the right step to make this SSL functionality consumer friendly. Those new SSL certificates will definitely help consumers secure themselves against phishing sites," he said. "The biggest problem in the industry today is that consumers don't understand much about the usage of SSL certificates in browsers."
Banks are also likely to adopt the high-assurance certificates, Corillian's Maloney said.
Makers of major Web browsers — Microsoft's Internet Explorer, the Mozilla Foundation's Firefox browser, Opera Software's browser and the open source Konqueror browser — have called for the new certificates. Most browsers are expected to support those in their applications, with special user interfaces that go beyond simply displaying the padlock.
In the forthcoming IE 7, Microsoft plans to display a green-filled address bar for sites that meet the future guidelines and have been awarded the new certificate.
"We think this will help consumers identify sites that they know and want to do business with. It stands in contrast to the experience that they have when they visit a phishing site or the average everyday Web site," Microsoft's Franco said. IE 7 is currently in testing. A final version is scheduled for release by the end of 2006.
Developers for Firefox, Opera and Konqueror are also considering adding new display mechanisms to the padlock to call out the strongly encrypted and strongly validated certificates.
"If the certificate authorities can come to some agreement, implementing those certificates will become a priority," said Thomas Ford, an Opera spokesman.
Firefox developers are also looking at possible changes, said Chris Beard, vice president of products at Mozilla. While they have not yet settled upon a final design, they are performing a comprehensive review of potential SSL security enhancements, he said.
The biggest hurdle to overcome in creating the new type of certificate is bridging differences between certificate authorities, VeriSign's Theodossiou said. "If we can agree, it will definitely enhance the trustworthiness for consumers in dealing with Web sites," he said.
Talkback
This is ridiculous. Certificate Authorities are just looking to supplement an already lucrative business model which uses a flawed methodology.
The problem, when you add crypto to any computer security problem, is that the crypto works - shifting the failure point to the users. That is why "phishing" is the problem, and not cracking.
Users do not understand, by and large, what the padlock means and why. using different colors will not change that. All the CAs are doing is spinning the fact that their service methods DON'T WORK as evidence that they need to do it MORE, so they can justify charging more money.
All web site operators really need is a way to encrypt transactions without the browser complaining to the end user. Third parties can vouch "yup, you're YOU" all day long, using the strongest mathematics in the world - but if you're a crook, you're a crook, and there's NO WAY anybody's going to find out until the damage is done.
In much the same way antivirus vendors have a conflict of interest with virus writers, commercial CAs have a conflict of interest with phishers. Spending more money on verifying identity and telling users that it's actually trustworthiness is not the answer - it's the REAL crime.
Improving padlocks is no answer at all, the key problem always has been and always will be fundamentally flawed procedures and software. Flaws in procedures are apparent at all levels, and the majority of software that users have has more holes than a garden seive.
This new development strikes me as simply another money grabbing exercise.