- From: Close, Tyler J. <tyler.close@hp.com>
- Date: Mon, 20 Nov 2006 21:52:06 -0600
- To: <public-wsc-wg@w3.org>
For ACTION-13: Elaborate on multiple certificates & domains for session servers case A user has a relationship with a legal entity like a person, or a company, not with a domain name. For the case where there is a one-to-one correspondence between domain name and legal entity, the difference may be overlooked; however, many legal entities on the web use multiple domain names. Current use of SSL on the web authenticates domain names, and only vaguely identifies legal entities, so it is left to the user to figure out which domain names correspond to which legal entities. Ideally, the browser would do this work for the user and track when the user was interacting with a known acquaintance versus a stranger. For this user interface to be possible, identification of related domain names must move from the vague to the exact. In particular, a legal entity needs a standard way to express what domain names should be treated as equivalent by users. Currently deployed SSL server certificates commonly provide the following attributes to identify the server: CN, the hostname; O, the organization name; OU, the organization unit; C, the country; ST, the state; L, the city. An SSL server certificate is also signed by some issuing certificate. Identification of related hosts could be accomplished by standardizing some subset of these certificate attributes for use as the legal entity identifier. For example, the Petname Tool <https://addons.mozilla.org/firefox/957/> uses the subset (root issuer public key, O, C, ST, L) as the legal entity identifier. Similar tools are known to use different subsets. Tyler
Received on Tuesday, 21 November 2006 13:45:23 UTC