* Brian Smith:
> The first question is: Should we change our UI to be the same as
> other browsers? My answer is no. It *is* a good idea to show the
> root certificate's organization name in this part of the UI. But, it
> is also important to show all the intermediate organizations' names
> in this part of the UI too. See the recent TrustWave incident for
> motivation. If others agree, then I will file a bug about
> implementing a change to display the O= field from all CA
> certificates in the chain in this UI.
I don't think this is really helpful because intermediate certificates
often use pseudonyms or really misleading names.
A typical chain looks like this:
AddTrust External CA Root AddTrust AB
UTN-UserFirst-Hardware The USERTRUST Network
EuropeanSSL Server CA EUNETIC GmbH
Currently, the left-hand chain is shown in the certificate dialog, and
"EUNETIC GmbH" (which is not a pseudonym, unlike the rest) is shown by
the certificate information attached to the URL bar.
Speaking of the URL bar security information, the "which is run by"
label in the EV information is quite misleading because the EV process
does not ensure that the certificate subject runs the web site. There
are even a few cases where the web site owner emphatically denies that
they are controlled by the certificate subject!
> The second question is: Should we change the string in the display
> of the *root* certificate from "VeriSign, Inc." to "Norton." My
> answer is no, because AFAICT this field should contain the legal
> name of the organization that owns the root certificate.
This is very desirable indeed, but it's a lot of work if intermediate
certificates are to be covered as well.
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
