- From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
- Date: Sun, 07 Sep 2008 20:26:58 +0100
- To: "Yngve N. Pettersen (Developer Opera Software ASA)" <yngve@opera.com>
- CC: "public-wsc-wg@w3.org" <public-wsc-wg@w3.org>
I believe the text as-written refers to the Issuer field in the certificate for which the subject is the web server. I also think its already clear, but would have no problem if that were clarified. Presenting the root's information would IMO be wrong. S. Yngve N. Pettersen (Developer Opera Software ASA) wrote: > > > Hi, > > Sec. 6.1.2 currently says > > "The identity signal MUST include the Issuer field's Organization > attribute to inform the user about the party responsible for that > information." > > A problem here may be: Which issuer? Many certificate chains include one > or more intermediates, and the intermediates may not use the same > organization name as the Root. > > This will not just be the case in connection with some Cross-signed > certificates (which a number of newer CAs are using, while waiting for > their root to be distributed), but also for some CAs that are issuing > intermediates to larger organizations that want to issue their own > certificates. > > An example of the latter is https://www.mastercard.com/us/gateway.html , > which is using a certificate issued by Mastercard's own CA, which was > issued by RSA Security, off a Valicert Root (AFAIK, Valicert is a > now-defunct Root CA, whose certificates have been sold to other > companies because of their value as being embedding in major Rootstores) > > The correct name may change from case to case, so there may not be a > "right" answer that apply to all cases. Having all names might be > "correct", but may be problematic due to space constraints in the chrome. > > I would suggest that this point is clarified to state if the name to be > used is the direct issuer's name, or the Root Issuer's name, at least as > a minimum requirement. >
Received on Sunday, 7 September 2008 19:27:02 UTC