Re: Which issuer should be displayed in the Identity signal? from Mary Ellen Zurko on 2008-09-12 (public-wsc-wg@w3.org from September 2008)

From: Mary Ellen Zurko <Mary_Ellen_Zurko@notesdev.ibm.com>
Date: Fri, 12 Sep 2008 10:00:18 -0400
To: "Johnathan Nightingale <johnath" <johnath@mozilla.com>
Cc: W3C WSC Public <public-wsc-wg@w3.org>
Message-ID: <OF33506F17.37617D11-ON852574C2.004CB996-852574C2.004CEE7B@LocalDomain>

I would suggest that if an active and engaged member of the WG is confused 
about the language, it's not clear enough. Is this clearer and still 
accurate? 

"The identity signal MUST include the certificate's Issuer field's 
Organization
attribute to inform the user about the party responsible for that
information."



          Mez





From:
Johnathan Nightingale <johnath@mozilla.com>
To:
W3C WSC Public <public-wsc-wg@w3.org>
Date:
09/08/2008 09:14 AM
Subject:
Re: Which issuer should be displayed in the Identity signal?
Sent by:
public-wsc-wg-request@w3.org




The unfortunate case of Mastercard notwithstanding, I agree with 
Stephen - my expectation here was that it would always be the direct 
issuer named, since that is the only organization in the chain which 
claims direct verification of any attested information.  I likewise 
thought the language was already clear, but have no problem with 
making it clearer.

Cheers,

Johnathan

On 7-Sep-08, at 3:26 PM, Stephen Farrell wrote:

>
>
> I believe the text as-written refers to the Issuer field in the
> certificate for which the subject is the web server. I also think
> its already clear, but would have no problem if that were
> clarified.
>
> Presenting the root's information would IMO be wrong.
>
> S.
>
> Yngve N. Pettersen (Developer Opera Software ASA) wrote:
>>
>>
>> Hi,
>>
>> Sec. 6.1.2  currently says
>>
>>  "The identity signal MUST include the Issuer field's Organization
>> attribute to inform the user about the party responsible for that
>> information."
>>
>> A problem here may be: Which issuer? Many certificate chains 
>> include one
>> or more intermediates, and the intermediates may not use the same
>> organization name as the Root.
>>
>> This will not just be the case in connection with some Cross-signed
>> certificates (which a number of newer CAs are using, while waiting 
>> for
>> their root to be distributed), but also for some CAs that are issuing
>> intermediates to larger organizations that want to issue their own
>> certificates.
>>
>> An example of the latter is https://www.mastercard.com/us/gateway.html 
>>  ,
>> which is using a certificate issued by Mastercard's own CA, which was
>> issued by RSA Security, off a Valicert Root (AFAIK, Valicert is a
>> now-defunct Root CA, whose certificates have been sold to other
>> companies because of their value as being embedding in major 
>> Rootstores)
>>
>> The correct name may change from case to case, so there may not be a
>> "right" answer that apply to all cases. Having all names might be
>> "correct", but may be problematic due to space constraints in the 
>> chrome.
>>
>> I would suggest that this point is clarified to state if the name 
>> to be
>> used is the direct issuer's name, or the Root Issuer's name, at 
>> least as
>> a minimum requirement.
>>
>

---
Johnathan Nightingale
Human Shield
johnath@mozilla.com

Received on Friday, 12 September 2008 14:00:59 UTC