- From: Mary Ellen Zurko <Mary_Ellen_Zurko@notesdev.ibm.com>
- Date: Fri, 2 May 2008 12:24:10 -0400
- To: "Johnathan Nightingale <johnath" <johnath@mozilla.com>
- Cc: public-wsc-wg@w3.org
- Message-ID: <OFC8749885.133E66F7-ON8525743D.0059A23F-8525743D.005A1A70@LocalDomain>
Thanks for responding. Why do we think it's important to display the CA as a MUST? That is exactly why I raised this issues (long ago and far away). I don't see why. I feel like I'm channeling Ian here, but it feels like more clutter for no particular goal. From: Johnathan Nightingale <johnath@mozilla.com> To: "Mary Ellen Zurko" <Mary_Ellen_Zurko@notesdev.ibm.com> Cc: public-wsc-wg@w3.org Date: 05/02/2008 12:18 PM Subject: Re: ISSUE-138 Downgrade strength of Issuer field's Organization attribute The key word here is "Issuer." The requirement is that the identity signal make it clear what party (CA) is responsible for extending this trust (e.g. Comodo, Entrust, or Verisign). Even in validated (non-AA) certs, we can trust issuers to get their own names right. :) Language elsewhere talks about what to do for the *subject* of the cert, which I think is your confusion here. Cheers, Johnathan On 2-May-08, at 11:54 AM, Mary Ellen Zurko wrote: http://www.w3.org/2006/WSC/drafts/rec/rewrite.html#signal-content 6.1.2 Identity Signal says for validated certificates: "The identity signal MUST include the Issuer field's Organization attribute to inform the user about the party responsible for that information." I don't remember why that is for validated certificates. If we did this one to death already, please point me to it. Otherwise, my proposal for this issue is either: A) Move that to AA certs only B) Change the MUST to a SHOULD. Which actually I feel is still too strong. But I'm guessing there's something I'm missing. --- Johnathan Nightingale Human Shield johnath@mozilla.com
Received on Friday, 2 May 2008 16:24:52 UTC