On 10/03/12 04:56 AM, Brian Smith wrote:
Geoffrey Noakes wrote:
The *only* change we are asking of Mozilla is to change "Verified by:
VeriSign, Inc." in the hover-over box to "Verified by Norton":
In Firefox, we show the name of the organization that issued the intermediate
certificate (the subject O= field of the intermediate certificate) in the hover
box. This information comes directly from the intermediate certificate.
I have been told, but haven't verified, that other browsers show the name of
the organization that issued the root certificate (the subject O= field of the
root certificate) in their UI.
The first question is: Should we change our UI to be the same as other
browsers? My answer is no.
Go! Brian, I'll always support Mozilla doing it's own stuff in
security. That's why I currently like Chrome and dislike Firefox :)
Unfortunately, too much of security is done herd-like. So consequently
the UI is worst practices - the lowest common denominator effect - what
the browsers could most agree on and suffer least on.
If you can get Mozilla to start breaking things in Firefox's browser,
all power to you. We can only improve by breaking things. Competition
in security is the only way forward.
It *is* a good idea to show the root certificate's organization name in this
part of the UI. But, it is also important to show all the intermediate
organizations' names in this part of the UI too. See the recent TrustWave
incident for motivation. If others agree, then I will file a bug about
implementing a change to display the O= field from all CA certificates in the
chain in this UI.
The root is responsible. The intermediate organisation is responsible
to the root, but Mozilla holds the root entirely and completely
responsible for meeting the party. This has recently been affirmed over
on the policy group, although there are some holdouts in the CAs that
are trying to muddy the waters so they can still distro the
responsibility away from them. Let's stick to the principles.
The root is responsible.
However, according to the principle of delegation, the root can delegate
any of its functions - detailed actions - to any party, as long as it
maintains its responsibility. Indeed the root organisation always will
delegate the functions to other agents, because a corporation isn't able
to do anything by itself, it's not corporeal, it's a legal myth.
Typically this means delegation to employees, but also to RAs being
other organisations that have other employees.
No matter the details, the root remains responsible. So from that pov,
the root should always be shown.
However it seems to be widespread but slippery behaviour in the industry
to delegate entire CA functioning to a new organisation to act as a CA
in and of its own right. Whatever we want or try to want at Mozilla, it
seems futile to ignore the rest of the world, and where we can shine a
little light we should.
Therefore I agree that the intermediate names should be shown.
(I also agree that the root CA should always be shown on the chrome, as
otherwise users think Mozilla verified the site. And Mozilla is
responsible.)
The second question is: Should we change the string in the display of the *root* certificate from "VeriSign, Inc." to "Norton." My answer
is no, because AFAICT this field should contain the legal name of the organization that owns the root certificate. In this case, it would be "Symantec
Corporation" or "VeriSign, Inc." depending on the new corporate structure of VeriSign. If Symantec changes the legal name of this organization
to "Norton" then this would be an acceptable and required change. (However, that is impossible, because US law requires businesses include
"Inc.," "Corporation," "LLC.," etc in their legal name.)
Two things: You have to get that string from somewhere. I'm guessing it
is either the "O" in the cert, or it is some cached name in the root
list. Which doesn't show intermediates... currently.
2. Relying on the "O" to show the proper name (legal?) is nice but
unreliable. Until vendors do due diligence on CAs' names to the same
extent CAs claim they do it on their subscribers, you'll get a mishmash
of approaches. This is no easy question, you'll run into all sorts of
difficulties trying to establish a standard approach - certificates and
x509 are not really a good place for semantic standardisation.
The third question is: Should the UI replace the display of the O= field of *intermediate*
certificates that chain to Symantec/VeriSign's roots to "Norton" when the value is
"VeriSign, Inc." My answer is no. See the recent TrustWave incident for motivation. It is
important to display the information in the intermediate certificates exactly as we received it in
the certificate. We have too many more important things to do. And, our users do not benefit from
such a change.
Yes, exactly as found in the cert. You are the browser, they are the
certification authority. If they certified names in the certs, that's
something you should take on at face value. Otherwise you are
infringing on the original claims made and that has consequences that
bounce up and down the legal chain.
(See above the comment about Mozilla claiming to have verified the site
by absence of any alternate theory presented on the chrome. There are
other misstruths in the browser like "you do not trust this site" ...
but that's a wider rant. As BR comes through and more of the legal
links are written down end-to-end, you'll be under more pressure to
clean up the claims you make to users.)
I am interested in hearing other peoples' thoughts on the matter.
Cheers,
Brian
All, just my jotted off thoughts, others usually disagree.
iang
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto