Re: ISSUE-138 Downgrade strength of Issuer field's Organization attribute

The key word here is "Issuer."

The requirement is that the identity signal make it clear what party  
(CA) is responsible for extending this trust (e.g. Comodo, Entrust, or  
Verisign).  Even in validated (non-AA) certs, we can trust issuers to  
get their own names right.  :)

Language elsewhere talks about what to do for the *subject* of the  
cert, which I think is your confusion here.

Cheers,

Johnathan


On 2-May-08, at 11:54 AM, Mary Ellen Zurko wrote:

>
> http://www.w3.org/2006/WSC/drafts/rec/rewrite.html#signal-content
>
> 6.1.2 Identity Signal says for validated certificates:
>
> "The identity signal MUST include the Issuer field's Organization  
> attribute to inform the user about the party responsible for that  
> information."
>
> I don't remember why that is for validated certificates. If we did  
> this one to death already, please point me to it. Otherwise, my  
> proposal for this issue is either:
>
> A) Move that to AA certs only
> B) Change the MUST to a SHOULD. Which actually I feel is still too  
> strong. But I'm guessing there's something I'm missing.
>
>

---
Johnathan Nightingale
Human Shield
johnath@mozilla.com

Received on Friday, 2 May 2008 16:17:55 UTC