Re: Mozilla Team-about the upcoming branding changes at Symantec/VeriSign, and working to implement them in Mozilla/Firefox

[Brian Smith]

Geoffrey Noakes wrote:
 
 The *only* change we are asking of Mozilla is to change Verified by:
 VeriSign, Inc. in the hover-over box to Verified by Norton:

In Firefox, we show the name of the organization that issued the intermediate 
certificate (the subject O= field of the intermediate certificate) in the hover 
box. This information comes directly from the intermediate certificate.

I have been told, but haven't verified, that other browsers show the name of 
the organization that issued the root certificate (the subject O= field of the 
root certificate) in their UI.

The first question is: Should we change our UI to be the same as other 
browsers? My answer is no. It *is* a good idea to show the root certificate's 
organization name in this part of the UI. But, it is also important to show all 
the intermediate organizations' names in this part of the UI too. See the 
recent TrustWave incident for motivation. If others agree, then I will file a 
bug about implementing a change to display the O= field from all CA 
certificates in the chain in this UI.

The second question is: Should we change the string in the display of the 
*root* certificate from VeriSign, Inc. to Norton. My answer is no, because 
AFAICT this field should contain the legal name of the organization that owns 
the root certificate. In this case, it would be Symantec Corporation or 
VeriSign, Inc. depending on the new corporate structure of VeriSign. If 
Symantec changes the legal name of this organization to Norton then this 
would be an acceptable and required change. (However, that is impossible, 
because US law requires businesses include Inc., Corporation, LLC., etc 
in their legal name.)

The third question is: Should the UI replace the display of the O= field of 
*intermediate* certificates that chain to Symantec/VeriSign's roots to Norton 
when the value is VeriSign, Inc. My answer is no. See the recent TrustWave 
incident for motivation. It is important to display the information in the 
intermediate certificates exactly as we received it in the certificate. We have 
too many more important things to do. And, our users do not benefit from such a 
change. 

I am interested in hearing other peoples' thoughts on the matter.

Cheers,
Brian
-- 
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: Mozilla Team-about the upcoming branding changes at Symantec/VeriSign, and working to implement them in Mozilla/Firefox

[Eddy Nigg]

On 03/09/2012 07:56 PM, From Brian Smith:

If others agree, then I will file a bug about implementing a change to display 
the O= field from all CA certificates in the chain in this UI.


My question would be how you would do that, is there enough UI real 
estate for that? If there is, it would be terrific. Otherwise I assume 
that the current UI is the most correct implementation.



The second question is: Should we change the string in the display of the *root* certificate from 
VeriSign, Inc. to Norton.


No, this is a brand name and not the incorporated organization name. 
However in case you want to implement something different than using the 
organization field of the issuer certificate, than it should be probably 
Symantec Inc.. In fact this they could easily achieve themselves by 
issuing new intermediate CA certificates from the Verisign root with the 
correct organization field.


Just a small warning - they should not attempt to use Norton in the 
organization field, this would clearly violate the Mozilla policy and 
Baseline Requirements.


--
Regards

Signer:  Eddy Nigg, StartCom Ltd.
XMPP:start...@startcom.org
Blog:http://blog.startcom.org/
Twitter: http://twitter.com/eddy_nigg

--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: Mozilla Team-about the upcoming branding changes at Symantec/VeriSign, and working to implement them in Mozilla/Firefox

[Wan-Teh Chang]

On Fri, Mar 9, 2012 at 9:56 AM, Brian Smith bsm...@mozilla.com wrote:

 The second question is: Should we change the string in the display of the 
 *root* certificate from VeriSign, Inc. to Norton.

Ideally this string should come from the certificate.  The fundamental
purpose of a certificate is to bind a public key to a name.  If the
displayed name is not in the certificate, that will confuse the user
when he opens the certificate viewer dialog and sees no mention of
Norton in the certificate.

Wan-Teh
-- 
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: Mozilla Team-about the upcoming branding changes at Symantec/VeriSign, and working to implement them in Mozilla/Firefox

[ianG]

On 10/03/12 04:56 AM, Brian Smith wrote:

Geoffrey Noakes wrote:


The *only* change we are asking of Mozilla is to change Verified by:
VeriSign, Inc. in the hover-over box to Verified by Norton:


In Firefox, we show the name of the organization that issued the intermediate 
certificate (the subject O= field of the intermediate certificate) in the hover 
box. This information comes directly from the intermediate certificate.

I have been told, but haven't verified, that other browsers show the name of 
the organization that issued the root certificate (the subject O= field of the 
root certificate) in their UI.

The first question is: Should we change our UI to be the same as other 
browsers? My answer is no.


Go!  Brian, I'll always support Mozilla doing it's own stuff in 
security.  That's why I currently like Chrome and dislike Firefox :) 
Unfortunately, too much of security is done herd-like.  So consequently 
the UI is worst practices - the lowest common denominator effect - what 
the browsers could most agree on and suffer least on.


If you can get Mozilla to start breaking things in Firefox's browser, 
all power to you.  We can only improve by breaking things.  Competition 
in security is the only way forward.



It *is* a good idea to show the root certificate's organization name in this 
part of the UI. But, it is also important to show all the intermediate 
organizations' names in this part of the UI too. See the recent TrustWave 
incident for motivation. If others agree, then I will file a bug about 
implementing a change to display the O= field from all CA certificates in the 
chain in this UI.


The root is responsible.  The intermediate organisation is responsible 
to the root, but Mozilla holds the root entirely and completely 
responsible for meeting the party.  This has recently been affirmed over 
on the policy group, although there are some holdouts in the CAs that 
are trying to muddy the waters so they can still distro the 
responsibility away from them.  Let's stick to the principles.


The root is responsible.

However, according to the principle of delegation, the root can delegate 
any of its functions - detailed actions - to any party, as long as it 
maintains its responsibility.  Indeed the root organisation always will 
delegate the functions to other agents, because a corporation isn't able 
to do anything by itself, it's not corporeal, it's a legal myth. 
Typically this means delegation to employees, but also to RAs being 
other organisations that have other employees.


No matter the details, the root remains responsible.  So from that pov, 
the root should always be shown.


However it seems to be widespread but slippery behaviour in the industry 
to delegate entire CA functioning to a new organisation to act as a CA 
in and of its own right.  Whatever we want or try to want at Mozilla, it 
seems futile to ignore the rest of the world, and where we can shine a 
little light we should.


Therefore I agree that the intermediate names should be shown.

(I also agree that the root CA should always be shown on the chrome, as 
otherwise users think Mozilla verified the site.  And Mozilla is 
responsible.)




The second question is: Should we change the string in the display of the *root* certificate from VeriSign, Inc. to Norton. My answer 
is no, because AFAICT this field should contain the legal name of the organization that owns the root certificate. In this case, it would be Symantec 
Corporation or VeriSign, Inc. depending on the new corporate structure of VeriSign. If Symantec changes the legal name of this organization 
to Norton then this would be an acceptable and required change. (However, that is impossible, because US law requires businesses include 
Inc., Corporation, LLC., etc in their legal name.)


Two things: You have to get that string from somewhere.  I'm guessing it 
is either the O in the cert, or it is some cached name in the root 
list.  Which doesn't show intermediates... currently.


2.  Relying on the O to show the proper name (legal?) is nice but 
unreliable.  Until vendors do due diligence on CAs' names to the same 
extent CAs claim they do it on their subscribers, you'll get a mishmash 
of approaches.  This is no easy question, you'll run into all sorts of 
difficulties trying to establish a standard approach - certificates and 
x509 are not really a good place for semantic standardisation.



The third question is: Should the UI replace the display of the O= field of *intermediate* 
certificates that chain to Symantec/VeriSign's roots to Norton when the value is 
VeriSign, Inc. My answer is no. See the recent TrustWave incident for motivation. It is 
important to display the information in the intermediate certificates exactly as we received it in 
the certificate. We have too many more important things to do. And, our users do not benefit from 
such a change.



Yes, exactly as found in the cert.  You are the browser, they are the