Re: Which issuer should be displayed in the Identity signal? from Johnathan Nightingale on 2008-09-08 (public-wsc-wg@w3.org from September 2008)

From: Johnathan Nightingale <johnath@mozilla.com>
Date: Mon, 8 Sep 2008 08:43:35 -0400
To: W3C WSC Public <public-wsc-wg@w3.org>
Message-Id: <1677EAEC-D039-43DD-81B7-F25E6FC8CB1F@mozilla.com>

The unfortunate case of Mastercard notwithstanding, I agree with  
Stephen - my expectation here was that it would always be the direct  
issuer named, since that is the only organization in the chain which  
claims direct verification of any attested information.  I likewise  
thought the language was already clear, but have no problem with  
making it clearer.

Cheers,

Johnathan

On 7-Sep-08, at 3:26 PM, Stephen Farrell wrote:

>
>
> I believe the text as-written refers to the Issuer field in the
> certificate for which the subject is the web server. I also think
> its already clear, but would have no problem if that were
> clarified.
>
> Presenting the root's information would IMO be wrong.
>
> S.
>
> Yngve N. Pettersen (Developer Opera Software ASA) wrote:
>>
>>
>> Hi,
>>
>> Sec. 6.1.2  currently says
>>
>>  "The identity signal MUST include the Issuer field's Organization
>> attribute to inform the user about the party responsible for that
>> information."
>>
>> A problem here may be: Which issuer? Many certificate chains  
>> include one
>> or more intermediates, and the intermediates may not use the same
>> organization name as the Root.
>>
>> This will not just be the case in connection with some Cross-signed
>> certificates (which a number of newer CAs are using, while waiting  
>> for
>> their root to be distributed), but also for some CAs that are issuing
>> intermediates to larger organizations that want to issue their own
>> certificates.
>>
>> An example of the latter is https://www.mastercard.com/us/gateway.html 
>>  ,
>> which is using a certificate issued by Mastercard's own CA, which was
>> issued by RSA Security, off a Valicert Root (AFAIK, Valicert is a
>> now-defunct Root CA, whose certificates have been sold to other
>> companies because of their value as being embedding in major  
>> Rootstores)
>>
>> The correct name may change from case to case, so there may not be a
>> "right" answer that apply to all cases. Having all names might be
>> "correct", but may be problematic due to space constraints in the  
>> chrome.
>>
>> I would suggest that this point is clarified to state if the name  
>> to be
>> used is the direct issuer's name, or the Root Issuer's name, at  
>> least as
>> a minimum requirement.
>>
>

---
Johnathan Nightingale
Human Shield
johnath@mozilla.com

Received on Monday, 8 September 2008 12:44:17 UTC