One of the things that is a little bit variable in the way the software presents to the user is the presentation of the information. Specifically, when dealing with certs, we expect the cert to make a claim of some form, and we expect the relying party to be somewhat OK with that claim.
What do people think should be the claim made by software? From a table I have, there are several possibilities: Thunderbird: "Certificate issued by: CN" Firefox: "Verified by: O" Safari: "Issued by: CN" Konqueror: no claim apparently made, but CN chain is displayed (I don't have all of them above, please fill out the rest, if you have access to these tools. I've probably got some of them wrong, but that's not the issue today.) There are two big qustions surfacing out of the above: 1. Should the CN or the O be the name displayed for the CA? 2. Looking at Firefox, there is a claim that the cert was *verified* by the named CA. Most of the others just say that the certificate was *issued* by the CA. There is a pretty big difference between these positions. The Firefox position creates an effective legal claim that the CA has indeed verified the information presented; the others defer that issue to "somewhere else" and make only a strict rendering of the crypto results. Personally, I quite like the claim that Firefox makes. It would be nice for the user to have *some* view as to what all this stuff is about, and right now they get precious little help from participants in any form of clarity. Firefox helps in this way by providing something pretty simple. The others pass the buck. OTOH, we might not all agree with the claim that Firefox makes; we may think there is some merit in issuing certs which include unverified information. Or that the user is told nothing about the claim by the software. In which case, Firefox is out on a limb, legally, and a bug should be filed to bring it back to a safe claims position. The point though is that we should really have a unified position on this, and we should write down the actual situation (as this should in effect become a criteria for audit as well as a commitment by the parties). What do people think? iang
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ dev-tech-crypto mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-crypto
