Re: ISSUE-138 Downgrade strength of Issuer field's Organization attribute from Johnathan Nightingale on 2008-05-02 (public-wsc-wg@w3.org from May 2008)

From: Johnathan Nightingale <johnath@mozilla.com>
Date: Fri, 2 May 2008 12:35:24 -0400
To: "Ian Fette" <ifette@google.com>
Cc: "Mary Ellen Zurko" <Mary_Ellen_Zurko@notesdev.ibm.com>, public-wsc-wg@w3.org
Message-Id: <5ED5A08A-5AAF-4904-BC7E-F8AE60F4343D@mozilla.com>

IMO, the issue of whether this is primary or secondary is handled  
elsewhere.  We (Firefox, that is) don't include the CA name in primary  
like IE does, for instance, but we do think it's important enough to  
put in the popup, the page info dialog, and the tooltip for the  
primary chrome button.

The issue is, if we are presenting verified identity, but not saying  
anything about who has done the verifying, people will (and have! and  
will again!) assume that Mozilla, Microsoft, Opera, or whomever is  
doing the verification.  This is misleading, and doesn't help users  
make good trust decisions.  I don't dispute that these companies are  
not exactly household names, but the argument that this means their  
name shouldn't need to be attached to their claims doesn't wash for me.

You could say "Fine, go ahead and display it if you want, but that  
doesn't mean the spec should *require* it" and that's an argument I've  
used about many things in the spec that seemed more like "good ideas"  
than requirements.  But I don't know why we would devote any time in  
our spec to AA/verified certs at all without including this.  Identity  
claims don't mean anything without some association to the person  
making them.  I would consider a browser which included an identity  
signal but didn't tell me where that information to be incomplete (and  
misleading!).

Cheers,

J

On 2-May-08, at 12:23 PM, Ian Fette wrote:

> I don't understand why we have this for any cert. I'm fine with this  
> being displayed in secondary chrome somewhere, but take IE7 for  
> instance. It rolls back and forth between "Paypal [US]" and "Issued  
> by Verisign". No offense to PHB, but I really don't believe that any  
> user cares at all who issued the cert. They have no idea who any of  
> these companies are, they just want to know if they're secure or  
> not. (In theory they might want to know if they're talking to Paypal  
> or not). I think that's the important info we should show, I have no  
> idea why we think it's good to mandate showing issuer.
>
> On Fri, May 2, 2008 at 9:17 AM, Johnathan Nightingale <johnath@mozilla.com 
> > wrote:
> The key word here is "Issuer."
>
> The requirement is that the identity signal make it clear what party  
> (CA) is responsible for extending this trust (e.g. Comodo, Entrust,  
> or Verisign).  Even in validated (non-AA) certs, we can trust  
> issuers to get their own names right.  :)
>
> Language elsewhere talks about what to do for the *subject* of the  
> cert, which I think is your confusion here.
>
> Cheers,
>
> Johnathan
>
>
> On 2-May-08, at 11:54 AM, Mary Ellen Zurko wrote:
>>
>> http://www.w3.org/2006/WSC/drafts/rec/rewrite.html#signal-content
>>
>> 6.1.2 Identity Signal says for validated certificates:
>>
>> "The identity signal MUST include the Issuer field's Organization  
>> attribute to inform the user about the party responsible for that  
>> information."
>>
>> I don't remember why that is for validated certificates. If we did  
>> this one to death already, please point me to it. Otherwise, my  
>> proposal for this issue is either:
>>
>> A) Move that to AA certs only
>> B) Change the MUST to a SHOULD. Which actually I feel is still too  
>> strong. But I'm guessing there's something I'm missing.
>>
>>
>
> ---
> Johnathan Nightingale
> Human Shield
> johnath@mozilla.com
>
>
>
>

---
Johnathan Nightingale
Human Shield
johnath@mozilla.com

Received on Friday, 2 May 2008 16:36:08 UTC