Geoffrey Noakes wrote: > > The *only* change we are asking of Mozilla is to change "Verified by: > VeriSign, Inc." in the hover-over box to "Verified by Norton":
In Firefox, we show the name of the organization that issued the intermediate certificate (the subject O= field of the intermediate certificate) in the hover box. This information comes directly from the intermediate certificate. I have been told, but haven't verified, that other browsers show the name of the organization that issued the root certificate (the subject O= field of the root certificate) in their UI. The first question is: Should we change our UI to be the same as other browsers? My answer is no. It *is* a good idea to show the root certificate's organization name in this part of the UI. But, it is also important to show all the intermediate organizations' names in this part of the UI too. See the recent TrustWave incident for motivation. If others agree, then I will file a bug about implementing a change to display the O= field from all CA certificates in the chain in this UI. The second question is: Should we change the string in the display of the *root* certificate from "VeriSign, Inc." to "Norton." My answer is no, because AFAICT this field should contain the legal name of the organization that owns the root certificate. In this case, it would be "Symantec Corporation" or "VeriSign, Inc." depending on the new corporate structure of VeriSign. If Symantec changes the legal name of this organization to "Norton" then this would be an acceptable and required change. (However, that is impossible, because US law requires businesses include "Inc.," "Corporation," "LLC.," etc in their legal name.) The third question is: Should the UI replace the display of the O= field of *intermediate* certificates that chain to Symantec/VeriSign's roots to "Norton" when the value is "VeriSign, Inc." My answer is no. See the recent TrustWave incident for motivation. It is important to display the information in the intermediate certificates exactly as we received it in the certificate. We have too many more important things to do. And, our users do not benefit from such a change. I am interested in hearing other peoples' thoughts on the matter. Cheers, Brian -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
