On Sun, Dec 20, 2020 at 9:54 AM Matthew Thompson via
dev-security-policy <dev-security-policy@lists.mozilla.org> wrote:
> It's not ideal that Google Chrome now states "The connection to this site is 
> using a valid, trusted server certificate issued by R3" (desktop) and "Google 
> Chrome verified that R3 issued this website's certificate" (mobile). But that 
> seems to be an issue the Chromium project could resolve by relying on "O" 
> instead of "CN". Maybe something for you to look into Ryan.

Each browser shows something different to describe the CA.  Using the
site https://www.city.kameyama.mie.jp/ as an example:

Chrome shows the common name of the issuer of the end-entity
certificate in the tooltip.
Safari does not show anything until you go for "Show Certificate"
after clicking the lock.
Firefox shows the organization name of the issuer of the end-entity
certificate in the tooltip.

I don't have IE handy, but it used to show the "friendly name" of the
root, which is from the Microsoft certificate database and is not in
the certificate at all.
I think some other browser used to show the organization name of the
root, but I can't remember which.

There just isn't consistency.  If you want UI consistency as a CA, you
have to duplicate info in various attributes. When I was setting up a
PKI hierarchy a few years ago, I chose to make the organization and
common name the same for all the CAs that were not root CAs.  The
roots all have unique common names because that was a requirement from
Microsoft. You can see the result here:

To the point at the beginning of this thread, all these subordinates
have the exact same common name.  No one has ever complained, to my

dev-security-policy mailing list

Reply via email to