As documented in https://bugzilla.mozilla.org/show_bug.cgi?id=277797 the EU now has standardized a way for a certificate (e.g. SSL or email cert) to state a monetary limit for the value of a transaction that is protected by that cert. It's a limit of liability, and is is one of several new types of "qualified statements". The limits are expressed in two parts, a unit of currency and an amount. The unit of currency may be expressed as a symbol or as a 3 character string.
The certificate issuers (CAs) may choose to mark these statements as "critical", which means that an application MUST NOT HONOR these certificates (e.g. must not establish an SSL connection with them) UNLESS the application understands these statements and will "enforce" them. In the case of https (web pages), where there is no standardized way for the value of the transaction to be expressed in the (http) protocol, "enforcement" may consist of nothing more than showing the user the relevant monetary limit(s).
According to at least one CA in Hungary, some EU nations now require these "qualified statements" in the certs issued by CAs in their countries, and require them to be marked "critical".
mozilla's NSS crypto libraries do not yet understand these new statements, but even if NSS did, and could make that info available to the application via some API, mozilla/FF/TB would need to have some way of showing this limit to the user. NSS's honoring of a cert bearing such a statement would be conditional on whether or not the application actually attempted to use that info.
So, I'd like to ask the mozilla/TB/FF UI community to begin to figure out how they're going to do that (show the limits to the user).
And, BTW, this applies to any use of these certs, not just https. It also applies to POP, IMAP, SMTP, IMAP and whatever, when run over SSL. So the UI challenge is greater than merely for the browser's chrome.
/Nelson _______________________________________________ Mozilla-security mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-security
