Re: ISSUE-138 Downgrade strength of Issuer field's Organization attribute

OK, that's something I can actually understand; dealing with the common 
user confusion that the browser is the one who gives the identity. It will 
be interesting to see how that plays out in the usability testing we do 
after Last Call. I'm satisfied, and since it's my issue, and since we 
spent a lot of time together on that section, I'm happy to close it. 


          Mez





From:
Johnathan Nightingale <johnath@mozilla.com>
To:
"Ian Fette" <ifette@google.com>
Cc:
"Mary Ellen Zurko" <Mary_Ellen_Zurko@notesdev.ibm.com>, 
public-wsc-wg@w3.org
Date:
05/02/2008 12:35 PM
Subject:
Re: ISSUE-138 Downgrade strength of Issuer field's Organization attribute



IMO, the issue of whether this is primary or secondary is handled 
elsewhere.  We (Firefox, that is) don't include the CA name in primary 
like IE does, for instance, but we do think it's important enough to put 
in the popup, the page info dialog, and the tooltip for the primary chrome 
button.

The issue is, if we are presenting verified identity, but not saying 
anything about who has done the verifying, people will (and have! and will 
again!) assume that Mozilla, Microsoft, Opera, or whomever is doing the 
verification.  This is misleading, and doesn't help users make good trust 
decisions.  I don't dispute that these companies are not exactly household 
names, but the argument that this means their name shouldn't need to be 
attached to their claims doesn't wash for me.

You could say "Fine, go ahead and display it if you want, but that doesn't 
mean the spec should *require* it" and that's an argument I've used about 
many things in the spec that seemed more like "good ideas" than 
requirements.  But I don't know why we would devote any time in our spec 
to AA/verified certs at all without including this.  Identity claims don't 
mean anything without some association to the person making them.  I would 
consider a browser which included an identity signal but didn't tell me 
where that information to be incomplete (and misleading!). 

Cheers,

J

On 2-May-08, at 12:23 PM, Ian Fette wrote:

I don't understand why we have this for any cert. I'm fine with this being 
displayed in secondary chrome somewhere, but take IE7 for instance. It 
rolls back and forth between "Paypal [US]" and "Issued by Verisign". No 
offense to PHB, but I really don't believe that any user cares at all who 
issued the cert. They have no idea who any of these companies are, they 
just want to know if they're secure or not. (In theory they might want to 
know if they're talking to Paypal or not). I think that's the important 
info we should show, I have no idea why we think it's good to mandate 
showing issuer.

On Fri, May 2, 2008 at 9:17 AM, Johnathan Nightingale <johnath@mozilla.com
> wrote:
The key word here is "Issuer."

The requirement is that the identity signal make it clear what party (CA) 
is responsible for extending this trust (e.g. Comodo, Entrust, or 
Verisign).  Even in validated (non-AA) certs, we can trust issuers to get 
their own names right.  :)

Language elsewhere talks about what to do for the *subject* of the cert, 
which I think is your confusion here.

Cheers,

Johnathan


On 2-May-08, at 11:54 AM, Mary Ellen Zurko wrote:

http://www.w3.org/2006/WSC/drafts/rec/rewrite.html#signal-content

6.1.2 Identity Signal says for validated certificates: 

"The identity signal MUST include the Issuer field's Organization 
attribute to inform the user about the party responsible for that 
information."

I don't remember why that is for validated certificates. If we did this 
one to death already, please point me to it. Otherwise, my proposal for 
this issue is either:

A) Move that to AA certs only 
B) Change the MUST to a SHOULD. Which actually I feel is still too strong. 
But I'm guessing there's something I'm missing. 



---
Johnathan Nightingale
Human Shield
johnath@mozilla.com





---
Johnathan Nightingale
Human Shield
johnath@mozilla.com