An example given by a user is https://mv.blasmusikverband-tirol.at/ which shows the EV indicator in Safari, but not Chrome. When looking up the website on Chrome for Windows, the EV indicator is shown correctly.

ccing asymmetric@ from issue id: https://bugs.chromium.org/p/chromium/issues/detail?id=791870 for confirmation if it is related to this issue and requesting to provide further inputs on the issue for further triaging.

Thanks...!!

Running through checks that could drop EV UI:
 - This certificate chained up to an ev-enabled CA
 - The leaf asserts the proper DigiCert EV OID
 - It is compliant with Chromium CT Policy for <15 month certs
 
There could possibly be some interactions with restrictions placed on the Legacy Symantec PKI, but I'm still looking into that for now.

ccing cthomp to see if this is related to security UI experiments.

We're currently running a small-scale study on security UI in the omnibox, and one condition in that experiment involves reducing the UI shown for EV certificates.

Could you please share the list of variations from chrome://version for the affected installations so we can check if that is what is causing this for you? Thanks!

I forgot to mention: that experiment (if active and affecting the site) will show a message in the developer tools console, so you can also check there.

Please see the list of variations here:

Variations	
c134752e-552119
ebeb14fc-3f4a17df
34a6bf44-ca7d8d80
bacf97b2-ca7d8d80
241fff6c-1623a499
3095aa95-3f4a17df
7c1bc906-f55a7974
47e5d3db-3f4a17df
125b7f68-26e7b859
1149accc-3d47f4f4
4dc30737-b8a5ea08
a582a1b8-ad75ce17
44827ee5-f23d1dea
d0ecf1da-ca7d8d80
8f1e27f-ca7d8d80
9773d3bd-f23d1dea
9e5c75f1-26cd9ef2
f79cb77b-3d47f4f4
4ea303a6-2e46ed91
bcc34a89-3f4a17df
2c1d398c-ca7d8d80
58a025e3-36e97b2c
2a32876a-ca7d8d80
ff29b1bd-37ef7e17
da460ac8-3f4a17df
4bc337ce-69465896
9a2f4e5b-ca7d8d80
1354da85-ca7d8d80
17507c76-ca7d8d80
494d8760-52325d43
f47ae82a-746c2ad4
3ac60855-486e2a9c
f296190c-8965af99
4442aae2-a90023b1
ed1d377-e1cc0f14
12e17bc5-e1cc0f14
75f0f0a0-4ad60575
e2b18481-a90023b1
e7e71889-4ad60575
3a4029d-ca7d8d80
94e68624-803f8fc4
8834fcca-ca7d8d80
81c6897f-3f4a17df

Regarding Comment #3, I'm assuming that the case is related and the fix provided for that problem only fixed the Windows version. I haven't seen a Linux test machine yet to confirm whether it was fixed for that OS or not.

Thanks for the variations list. Looking through, it does not look like your Chrome install is in the experimental group that would affect this. You can also double check by going into chrome://flags and setting #simplify-https-indicators to "Disabled".

Devon: Any other ideas if this is really a Mac-specific issue rather than the experimental UI?

I've disabled the simplify-https-indicators setting (and restarted Chrome) but I'm still only seeing the "Secure" indicator.

Okay, thanks for double checking. This definitely sounds like the EV check is downgrading it to a regular certificate then. asymmetric@ may have more ideas for why this is happening (and why it seems to be isolated to only your Mac install).

One other thing you could check would be to install Chrome Canary and see if this behavior replicates on the same machine (you can run both Stable channel and Canary side-by-side on Mac).

Oh sorry I must have forgot to mention: it's not isolated to my Mac! I've had customers complain that it didn't work on theirs and had multiple Mac users confirm the same behavior, too. I haven't found a Mac where the bug is _not_ showing up so far.

There is a limitation in our EV logic - the verifier will check if the leaf cert has a candidate EV policy oid, and if it does, will check if the chain is valid for that policy. If the leaf has multiple candidate EV policy oids then which one gets checked is just luck depending on the order the policies get enumerated, which varies by platform. (And there's already a hack for  issue 705285 .) The cert in this case has 3 candidate EV policies.

The new verifier does handle this properly, checking all the candidate policies. We could probably update the existing verifiers to do as well if we think it's worth the effort.

Conveniently, the Net.CertVerifier_TrialComparisonResult histogram has a bucket for this. On mac it's showing 0.01% of verifications that appear to be affected. 

https://uma.googleplex.com/p/chrome/histograms/?endDate=latest&dayCount=28&histograms=Net.CertVerifier_TrialComparisonResult&fixupData=true&showMax=true&filters=platform%2Ceq%2CM%2Csimple_version%2Cregex%2C..%5C%5C.0%5C%5C.345%5B6-9%5D%5C%5C..%7C..%5C%5C.0%5C%5C.34%5B6-9%5D%5B0-9%5D%5C%5C..%7C..%5C%5C.0%5C%5C.3%5B5-9%5D..%5C%5C..%2Cisofficial%2Ceq%2CTrue&implicitFilters=isofficial

(On linux it's basically zero. I don't have data for windows.)

Dropping needs-feedback since I think something that's 'Started' doesn't need our usual triage procedures for that (and it does seem like the issue is understood)

Is there a particular upcoming release where this bug in the verifier will be patched?

https://knowledge.digicert.com/content/dam/digicertknowledgebase/attachment/generalinformation/INFO1796/Sym_SSLAssistant.zip

Digicert has fixed this issue. Re-issuing the affected certificate fixed the problem for me.

Here is the email I received from them:

====================================

Important Service Announcement

This communication contains important updates regarding your Symantec Trust Center products and services.
Extended Validation (EV) TLS certificate profile update
We updated the certificate profile of the full SHA256 EV hierarchy to remove the Symantec policy OID from Certificate Policies extension on September 27, 2018. This resolves an issue where the EV indicator was not being displayed in Chrome on macOS. 

This affects EV certificates issued between Jan 31st, 2018 and September 27th, 2018, and only if they were issued from the full SHA256 EV hierarchy. Please replace the existing full SHA256 EV certificates if you want to show the EV indicator in Chrome on macOS. There is no action required for the rest of use cases.

This issue has been marked as started, but has no owner. Making available.