[cabfpub] Chrome security warning discrepancy?

Dean Coclin Dean_Coclin at symantec.com
Mon Jan 26 16:09:52 UTC 2015


Thanks Stephen. Is that documented anywhere? While I recall reading a lot
about deprecated UIs for SHA-1 certs, I don't remember anything about the
"identity validated" piece being different. If that's the case, it's
extremely misleading to end users who have no idea nor are expected to know
what SHA1 even is.

 

Dean

 

From: Stephen Davidson [mailto:S.Davidson at quovadisglobal.com] 
Sent: Saturday, January 24, 2015 2:09 PM
To: Ben Wilson; Dean Coclin; CABFPub (public at cabforum.org)
Subject: RE: Chrome security warning discrepancy?

 

In Chrome all valid SSL normally have "identity verified".  The difference
is that DV and OV show the URL, while EV shows the Subject O.

 

I think Chrome is showing "identity not verified" for SHA1-based certs with
validity into 2016.  

 

Regards, Stephen

 

 

 

From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of Ben Wilson
Sent: Saturday, January 24, 2015 2:58 PM
To: Dean Coclin; CABFPub (public at cabforum.org)
Subject: Re: [cabfpub] Chrome security warning discrepancy?

 

Dean wrote, "Does anybody understand this?"

 

My response - "no".

 

From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of Dean Coclin
Sent: Saturday, January 24, 2015 9:55 AM
To: CABFPub (public at cabforum.org)
Subject: [cabfpub] Chrome security warning discrepancy?

 

I recently downloaded the newest version of Chrome (Version 40.0.2214.91 m)
and am now baffled by the certificate information. Here are 2 examples:

 

This screen shot shows https://www.Marriott.com. First it shows the green
lock and https as a normal indication of a secure connection. But below it
says the site is using outdated security settings. I thought if it said
this, then we would see a yellow indication (triangle or question mark)
above. Have things changed?

 

Further, it says "Identity not verified" even though the site has undergone
OV vetting and all information in the cert about the company was checked.

 



 

Contrast this to the 2nd site below,
https://www.carbon2cobalt.com/statuslogin.asp which has a DV cert yet says
"Identity verified":

 



Both sites have had their domain names "validated" yet why say "Identity
verified" with a DV cert and not an OV cert?

Does anybody understand this?

Thanks,
Dean

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150126/51e7938d/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 56335 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150126/51e7938d/attachment-0006.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 23665 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150126/51e7938d/attachment-0007.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6130 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150126/51e7938d/attachment-0001.p7s>


More information about the Public mailing list