On Sun, Dec 20, 2020 at 9:54 AM Matthew Thompson via dev-security-policy <dev-security-policy@lists.mozilla.org> wrote: > > It's not ideal that Google Chrome now states "The connection to this site is > using a valid, trusted server certificate issued by R3" (desktop) and "Google > Chrome verified that R3 issued this website's certificate" (mobile). But that > seems to be an issue the Chromium project could resolve by relying on "O" > instead of "CN". Maybe something for you to look into Ryan.
Each browser shows something different to describe the CA. Using the site https://www.city.kameyama.mie.jp/ as an example: Chrome shows the common name of the issuer of the end-entity certificate in the tooltip. Safari does not show anything until you go for "Show Certificate" after clicking the lock. Firefox shows the organization name of the issuer of the end-entity certificate in the tooltip. I don't have IE handy, but it used to show the "friendly name" of the root, which is from the Microsoft certificate database and is not in the certificate at all. I think some other browser used to show the organization name of the root, but I can't remember which. There just isn't consistency. If you want UI consistency as a CA, you have to duplicate info in various attributes. When I was setting up a PKI hierarchy a few years ago, I chose to make the organization and common name the same for all the CAs that were not root CAs. The roots all have unique common names because that was a requirement from Microsoft. You can see the result here: https://crt.sh/?CAName=%25Amazon%25 To the point at the beginning of this thread, all these subordinates have the exact same common name. No one has ever complained, to my knowledge. Thanks, Peter _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy