Re: ISSUE-138 Downgrade strength of Issuer field's Organization attribute from Ian Fette on 2008-05-02 (public-wsc-wg@w3.org from May 2008)

From: Ian Fette <ifette@google.com>
Date: Fri, 2 May 2008 10:16:00 -0700
To: "Mary Ellen Zurko" <Mary_Ellen_Zurko@notesdev.ibm.com>
Cc: "Johnathan Nightingale" <johnath@mozilla.com>, public-wsc-wg@w3.org
Message-ID: <bbeaa26f0805021016h2c47b496ya55d144fe4262f43@mail.gmail.com>
My only issue is that if, for instance, someone said "That thing on the
right that shows "Paypal [US]" needs to show the Issuer as well, that would
suck. I agree it should be shown somewhere, I just want to make sure it's
possible to have
a) Something that just shows "Paypal [US]" in primary chrome
b) a more fully-fledged thing (identity signal) showing more information in
secondary chrome

Do people think it's clear from the spec that the thing on the right in FX3
is not the identity signal, but rather the identity signal is what you get
after clicking the favicon?

On Fri, May 2, 2008 at 10:07 AM, Mary Ellen Zurko <
Mary_Ellen_Zurko@notesdev.ibm.com> wrote:

>
> OK, that's something I can actually understand; dealing with the common
> user confusion that the browser is the one who gives the identity. It will
> be interesting to see how that plays out in the usability testing we do
> after Last Call. I'm satisfied, and since it's my issue, and since we spent
> a lot of time together on that section, I'm happy to close it.
>
>
>           Mez
>
>
>
>
> From:Johnathan Nightingale <johnath@mozilla.com>
> To:"Ian Fette" <ifette@google.com>Cc:"Mary Ellen Zurko" <
> Mary_Ellen_Zurko@notesdev.ibm.com>, public-wsc-wg@w3.orgDate:05/02/2008
> 12:35 PMSubject:Re: ISSUE-138 Downgrade strength of Issuer field's
> Organization attribute
> ------------------------------
>
>
>
> IMO, the issue of whether this is primary or secondary is handled
> elsewhere.  We (Firefox, that is) don't include the CA name in primary like
> IE does, for instance, but we do think it's important enough to put in the
> popup, the page info dialog, and the tooltip for the primary chrome button.
>
> The issue is, if we are presenting verified identity, but not saying
> anything about who has done the verifying, people will (and have! and will
> again!) assume that Mozilla, Microsoft, Opera, or whomever is doing the
> verification.  This is misleading, and doesn't help users make good trust
> decisions.  I don't dispute that these companies are not exactly household
> names, but the argument that this means their name shouldn't need to be
> attached to their claims doesn't wash for me.
>
> You could say "Fine, go ahead and display it if you want, but that doesn't
> mean the spec should *require* it" and that's an argument I've used about
> many things in the spec that seemed more like "good ideas" than
> requirements.  But I don't know why we would devote any time in our spec to
> AA/verified certs at all without including this.  Identity claims don't mean
> anything without some association to the person making them.  I would
> consider a browser which included an identity signal but didn't tell me
> where that information to be incomplete (and misleading!).
>
> Cheers,
>
> J
>
> On 2-May-08, at 12:23 PM, Ian Fette wrote:
>
> I don't understand why we have this for any cert. I'm fine with this being
> displayed in secondary chrome somewhere, but take IE7 for instance. It rolls
> back and forth between "Paypal [US]" and "Issued by Verisign". No offense to
> PHB, but I really don't believe that any user cares at all who issued the
> cert. They have no idea who any of these companies are, they just want to
> know if they're secure or not. (In theory they might want to know if they're
> talking to Paypal or not). I think that's the important info we should show,
> I have no idea why we think it's good to mandate showing issuer.
>
> On Fri, May 2, 2008 at 9:17 AM, Johnathan Nightingale <*
> johnath@mozilla.com* <johnath@mozilla.com>> wrote:
> The key word here is "Issuer."
>
> The requirement is that the identity signal make it clear what party (CA)
> is responsible for extending this trust (e.g. Comodo, Entrust, or Verisign).
>  Even in validated (non-AA) certs, we can trust issuers to get their own
> names right.  :)
>
> Language elsewhere talks about what to do for the *subject* of the cert,
> which I think is your confusion here.
>
> Cheers,
>
> Johnathan
>
>
> On 2-May-08, at 11:54 AM, Mary Ellen Zurko wrote:
> *
> **http://www.w3.org/2006/WSC/drafts/rec/rewrite.html#signal-content*<http://www.w3.org/2006/WSC/drafts/rec/rewrite.html#signal-content>
>
> 6.1.2 Identity Signal says for validated certificates:
>
> "The identity signal MUST include the Issuer field's Organization
> attribute to inform the user about the party responsible for that
> information."
>
> I don't remember why that is for validated certificates. If we did this
> one to death already, please point me to it. Otherwise, my proposal for this
> issue is either:
>
> A) Move that to AA certs only
> B) Change the MUST to a SHOULD. Which actually I feel is still too strong.
> But I'm guessing there's something I'm missing.
>
>
>
> ---
> Johnathan Nightingale
> Human Shield
> *johnath@mozilla.com* <johnath@mozilla.com>
>
>
>
>
>
> ---
> Johnathan Nightingale
> Human Shield
> *johnath@mozilla.com* <johnath@mozilla.com>
>
>
>
>
>
>
Received on Friday, 2 May 2008 17:16:50 UTC