Re: ISSUE-138 Downgrade strength of Issuer field's Organization attribute

I don't understand why we have this for any cert. I'm fine with this being
displayed in secondary chrome somewhere, but take IE7 for instance. It rolls
back and forth between "Paypal [US]" and "Issued by Verisign". No offense to
PHB, but I really don't believe that any user cares at all who issued the
cert. They have no idea who any of these companies are, they just want to
know if they're secure or not. (In theory they might want to know if they're
talking to Paypal or not). I think that's the important info we should show,
I have no idea why we think it's good to mandate showing issuer.

On Fri, May 2, 2008 at 9:17 AM, Johnathan Nightingale <johnath@mozilla.com>
wrote:

> The key word here is "Issuer."
> The requirement is that the identity signal make it clear what party (CA)
> is responsible for extending this trust (e.g. Comodo, Entrust, or Verisign).
>  Even in validated (non-AA) certs, we can trust issuers to get their own
> names right.  :)
> Language elsewhere talks about what to do for the *subject* of the cert,
> which I think is your confusion here.
>
> Cheers,
>
> Johnathan
>
>
> On 2-May-08, at 11:54 AM, Mary Ellen Zurko wrote:
>
>
> http://www.w3.org/2006/WSC/drafts/rec/rewrite.html#signal-content
>
> 6.1.2 Identity Signal says for validated certificates:
>
> "The identity signal MUST include the Issuer field's Organization
> attribute to inform the user about the party responsible for that
> information."
>
> I don't remember why that is for validated certificates. If we did this
> one to death already, please point me to it. Otherwise, my proposal for this
> issue is either:
>
> A) Move that to AA certs only
> B) Change the MUST to a SHOULD. Which actually I feel is still too strong.
> But I'm guessing there's something I'm missing.
>
>
>
> ---
> Johnathan Nightingale
> Human Shield
> johnath@mozilla.com
>
>
>
>

Received on Friday, 2 May 2008 16:23:54 UTC