- From: Johnathan Nightingale <johnath@mozilla.com>
- Date: Mon, 8 Sep 2008 08:43:35 -0400
- To: W3C WSC Public <public-wsc-wg@w3.org>
The unfortunate case of Mastercard notwithstanding, I agree with Stephen - my expectation here was that it would always be the direct issuer named, since that is the only organization in the chain which claims direct verification of any attested information. I likewise thought the language was already clear, but have no problem with making it clearer. Cheers, Johnathan On 7-Sep-08, at 3:26 PM, Stephen Farrell wrote: > > > I believe the text as-written refers to the Issuer field in the > certificate for which the subject is the web server. I also think > its already clear, but would have no problem if that were > clarified. > > Presenting the root's information would IMO be wrong. > > S. > > Yngve N. Pettersen (Developer Opera Software ASA) wrote: >> >> >> Hi, >> >> Sec. 6.1.2 currently says >> >> "The identity signal MUST include the Issuer field's Organization >> attribute to inform the user about the party responsible for that >> information." >> >> A problem here may be: Which issuer? Many certificate chains >> include one >> or more intermediates, and the intermediates may not use the same >> organization name as the Root. >> >> This will not just be the case in connection with some Cross-signed >> certificates (which a number of newer CAs are using, while waiting >> for >> their root to be distributed), but also for some CAs that are issuing >> intermediates to larger organizations that want to issue their own >> certificates. >> >> An example of the latter is https://www.mastercard.com/us/gateway.html >> , >> which is using a certificate issued by Mastercard's own CA, which was >> issued by RSA Security, off a Valicert Root (AFAIK, Valicert is a >> now-defunct Root CA, whose certificates have been sold to other >> companies because of their value as being embedding in major >> Rootstores) >> >> The correct name may change from case to case, so there may not be a >> "right" answer that apply to all cases. Having all names might be >> "correct", but may be problematic due to space constraints in the >> chrome. >> >> I would suggest that this point is clarified to state if the name >> to be >> used is the direct issuer's name, or the Root Issuer's name, at >> least as >> a minimum requirement. >> > --- Johnathan Nightingale Human Shield johnath@mozilla.com
Received on Monday, 8 September 2008 12:44:17 UTC