Re: Mozilla Team-about the upcoming branding changes at Symantec/VeriSign, and working to implement them in Mozilla/Firefox
* Brian Smith: The first question is: Should we change our UI to be the same as other browsers? My answer is no. It *is* a good idea to show the root certificate's organization name in this part of the UI. But, it is also important to show all the intermediate organizations' names in this part of the UI too. See the recent TrustWave incident for motivation. If others agree, then I will file a bug about implementing a change to display the O= field from all CA certificates in the chain in this UI. I don't think this is really helpful because intermediate certificates often use pseudonyms or really misleading names. A typical chain looks like this: AddTrust External CA Root AddTrust AB UTN-UserFirst-Hardware The USERTRUST Network EuropeanSSL Server CA EUNETIC GmbH Currently, the left-hand chain is shown in the certificate dialog, and EUNETIC GmbH (which is not a pseudonym, unlike the rest) is shown by the certificate information attached to the URL bar. Speaking of the URL bar security information, the which is run by label in the EV information is quite misleading because the EV process does not ensure that the certificate subject runs the web site. There are even a few cases where the web site owner emphatically denies that they are controlled by the certificate subject! The second question is: Should we change the string in the display of the *root* certificate from VeriSign, Inc. to Norton. My answer is no, because AFAICT this field should contain the legal name of the organization that owns the root certificate. This is very desirable indeed, but it's a lot of work if intermediate certificates are to be covered as well. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Mozilla Team-about the upcoming branding changes at Symantec/VeriSign, and working to implement them in Mozilla/Firefox
On 09/03/12 17:56, Brian Smith wrote: The first question is: Should we change our UI to be the same as other browsers? My answer is no. It *is* a good idea to show the root certificate's organization name in this part of the UI. But, it is also important to show all the intermediate organizations' names in this part of the UI too. See the recent TrustWave incident for motivation. I don't have a strong opinion at the moment (although I may develop one - iang's argument seems to me to have merit) on whether we show the intermediate O field or the root one... If others agree, then I will file a bug about implementing a change to display the O= field from all CA certificates in the chain in this UI. but I do have a strong opinion that this solution is needless UI complexity. It is our job to find out the most appropriate value to show, and show it; we should not force the entire range on to the user. The second question is: Should we change the string in the display of the *root* certificate from VeriSign, Inc. to Norton. My answer is no, because AFAICT this field should contain the legal name of the organization that owns the root certificate. In this case, it would be Symantec Corporation or VeriSign, Inc. depending on the new corporate structure of VeriSign. If Symantec changes the legal name of this organization to Norton then this would be an acceptable and required change. (However, that is impossible, because US law requires businesses include Inc., Corporation, LLC., etc in their legal name.) Quite so. The EV chrome is not a marketing tool. The third question is: Should the UI replace the display of the O= field of *intermediate* certificates that chain to Symantec/VeriSign's roots to Norton when the value is VeriSign, Inc. My answer is no. See the recent TrustWave incident for motivation. It is important to display the information in the intermediate certificates exactly as we received it in the certificate. We have too many more important things to do. And, our users do not benefit from such a change. See above; I think this question is moot given my answer there. Gerv -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Mozilla Team-about the upcoming branding changes at Symantec/VeriSign, and working to implement them in Mozilla/Firefox
On 12/03/12 21:56 PM, Gervase Markham wrote: On 09/03/12 17:56, Brian Smith wrote: The first question is: Should we change our UI to be the same as other browsers? My answer is no. It *is* a good idea to show the root certificate's organization name in this part of the UI. But, it is also important to show all the intermediate organizations' names in this part of the UI too. See the recent TrustWave incident for motivation. I don't have a strong opinion at the moment (although I may develop one - iang's argument seems to me to have merit) on whether we show the intermediate O field or the root one... If others agree, then I will file a bug about implementing a change to display the O= field from all CA certificates in the chain in this UI. ...but I do have a strong opinion that this solution is needless UI complexity. It is our job to find out the most appropriate value to show, and show it; we should not force the entire range on to the user. The second question is: Should we change the string in the display of the *root* certificate from VeriSign, Inc. to Norton. My answer is no, because AFAICT this field should contain the legal name of the organization that owns the root certificate. In this case, it would be Symantec Corporation or VeriSign, Inc. depending on the new corporate structure of VeriSign. If Symantec changes the legal name of this organization to Norton then this would be an acceptable and required change. (However, that is impossible, because US law requires businesses include Inc., Corporation, LLC., etc in their legal name.) Quite so. The EV chrome is not a marketing tool. This is a very complex area. Security thinking for strong user interaction would demand that the brand be shown (this is fairly standard for example in credit card security the brand of the card issuer is shown prominently ... it's part of the security model). That's because brands are what users see and perceive, and therefore brands are defensible in ways that corp names are not. But for subscriber/EE certs, CAs/vendors have typically shown the legal name of the certificate holders. Typically this is justified as being something that can be checked to some reasonable level (with a nod to Philipp's post) however this is a supply side claim. Typically the legal name is not ever seriously presented as something that is useful to users. e.g., godaddy versus starfield. From this EE focus of check the legal name, show it to the user paradigm perhaps it is thought sensible to do the same for CAs. But again, this seems to reduce back to logic like the EE case. However ... it may be that the foundation is lacking - has any vendor actually checked the legal name of CAs to the same extent as claimed in say BR? Checked with some state registry the existence of a filed organisation of the name of the CA, confirmed who the signing officers are, demanded their ID and signature on the application for root listing? The point is not that you should do this ... but to question why you would want to slavishly present the legal name of the CA? For users, they want the brand. That's what they are taught, and for good marketing reasons. The brand in question was Verisign, not Verisign Inc. Certainly, from this pov, if new roots where presented by Symantec Inc with Norton in the O field, I'd not object. iang The third question is: Should the UI replace the display of the O= field of *intermediate* certificates that chain to Symantec/VeriSign's roots to Norton when the value is VeriSign, Inc. My answer is no. See the recent TrustWave incident for motivation. It is important to display the information in the intermediate certificates exactly as we received it in the certificate. We have too many more important things to do. And, our users do not benefit from such a change. See above; I think this question is moot given my answer there. Gerv -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Mozilla Team-about the upcoming branding changes at Symantec/VeriSign, and working to implement them in Mozilla/Firefox
It is hard to see that GUI changes would have any function except for the very few who understand the difference between roots and sub-CAs. It is similar to the EV green bar. It doesn't make any difference for normal people. The recent screw-ups didn't invalidate the system; it rather made the certificates vendors a bit more concerned about their operations which is good. Screw-ups is the road to improvements :-) -anders -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Mozilla Team-about the upcoming branding changes at Symantec/VeriSign, and working to implement them in Mozilla/Firefox
Geoffrey Noakes wrote: The *only* change we are asking of Mozilla is to change Verified by: VeriSign, Inc. in the hover-over box to Verified by Norton: In Firefox, we show the name of the organization that issued the intermediate certificate (the subject O= field of the intermediate certificate) in the hover box. This information comes directly from the intermediate certificate. I have been told, but haven't verified, that other browsers show the name of the organization that issued the root certificate (the subject O= field of the root certificate) in their UI. The first question is: Should we change our UI to be the same as other browsers? My answer is no. It *is* a good idea to show the root certificate's organization name in this part of the UI. But, it is also important to show all the intermediate organizations' names in this part of the UI too. See the recent TrustWave incident for motivation. If others agree, then I will file a bug about implementing a change to display the O= field from all CA certificates in the chain in this UI. The second question is: Should we change the string in the display of the *root* certificate from VeriSign, Inc. to Norton. My answer is no, because AFAICT this field should contain the legal name of the organization that owns the root certificate. In this case, it would be Symantec Corporation or VeriSign, Inc. depending on the new corporate structure of VeriSign. If Symantec changes the legal name of this organization to Norton then this would be an acceptable and required change. (However, that is impossible, because US law requires businesses include Inc., Corporation, LLC., etc in their legal name.) The third question is: Should the UI replace the display of the O= field of *intermediate* certificates that chain to Symantec/VeriSign's roots to Norton when the value is VeriSign, Inc. My answer is no. See the recent TrustWave incident for motivation. It is important to display the information in the intermediate certificates exactly as we received it in the certificate. We have too many more important things to do. And, our users do not benefit from such a change. I am interested in hearing other peoples' thoughts on the matter. Cheers, Brian -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Mozilla Team-about the upcoming branding changes at Symantec/VeriSign, and working to implement them in Mozilla/Firefox
On 03/09/2012 07:56 PM, From Brian Smith: If others agree, then I will file a bug about implementing a change to display the O= field from all CA certificates in the chain in this UI. My question would be how you would do that, is there enough UI real estate for that? If there is, it would be terrific. Otherwise I assume that the current UI is the most correct implementation. The second question is: Should we change the string in the display of the *root* certificate from VeriSign, Inc. to Norton. No, this is a brand name and not the incorporated organization name. However in case you want to implement something different than using the organization field of the issuer certificate, than it should be probably Symantec Inc.. In fact this they could easily achieve themselves by issuing new intermediate CA certificates from the Verisign root with the correct organization field. Just a small warning - they should not attempt to use Norton in the organization field, this would clearly violate the Mozilla policy and Baseline Requirements. -- Regards Signer: Eddy Nigg, StartCom Ltd. XMPP:start...@startcom.org Blog:http://blog.startcom.org/ Twitter: http://twitter.com/eddy_nigg -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Mozilla Team-about the upcoming branding changes at Symantec/VeriSign, and working to implement them in Mozilla/Firefox
On Fri, Mar 9, 2012 at 9:56 AM, Brian Smith bsm...@mozilla.com wrote: The second question is: Should we change the string in the display of the *root* certificate from VeriSign, Inc. to Norton. Ideally this string should come from the certificate. The fundamental purpose of a certificate is to bind a public key to a name. If the displayed name is not in the certificate, that will confuse the user when he opens the certificate viewer dialog and sees no mention of Norton in the certificate. Wan-Teh -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Mozilla Team-about the upcoming branding changes at Symantec/VeriSign, and working to implement them in Mozilla/Firefox
On 10/03/12 04:56 AM, Brian Smith wrote: Geoffrey Noakes wrote: The *only* change we are asking of Mozilla is to change Verified by: VeriSign, Inc. in the hover-over box to Verified by Norton: In Firefox, we show the name of the organization that issued the intermediate certificate (the subject O= field of the intermediate certificate) in the hover box. This information comes directly from the intermediate certificate. I have been told, but haven't verified, that other browsers show the name of the organization that issued the root certificate (the subject O= field of the root certificate) in their UI. The first question is: Should we change our UI to be the same as other browsers? My answer is no. Go! Brian, I'll always support Mozilla doing it's own stuff in security. That's why I currently like Chrome and dislike Firefox :) Unfortunately, too much of security is done herd-like. So consequently the UI is worst practices - the lowest common denominator effect - what the browsers could most agree on and suffer least on. If you can get Mozilla to start breaking things in Firefox's browser, all power to you. We can only improve by breaking things. Competition in security is the only way forward. It *is* a good idea to show the root certificate's organization name in this part of the UI. But, it is also important to show all the intermediate organizations' names in this part of the UI too. See the recent TrustWave incident for motivation. If others agree, then I will file a bug about implementing a change to display the O= field from all CA certificates in the chain in this UI. The root is responsible. The intermediate organisation is responsible to the root, but Mozilla holds the root entirely and completely responsible for meeting the party. This has recently been affirmed over on the policy group, although there are some holdouts in the CAs that are trying to muddy the waters so they can still distro the responsibility away from them. Let's stick to the principles. The root is responsible. However, according to the principle of delegation, the root can delegate any of its functions - detailed actions - to any party, as long as it maintains its responsibility. Indeed the root organisation always will delegate the functions to other agents, because a corporation isn't able to do anything by itself, it's not corporeal, it's a legal myth. Typically this means delegation to employees, but also to RAs being other organisations that have other employees. No matter the details, the root remains responsible. So from that pov, the root should always be shown. However it seems to be widespread but slippery behaviour in the industry to delegate entire CA functioning to a new organisation to act as a CA in and of its own right. Whatever we want or try to want at Mozilla, it seems futile to ignore the rest of the world, and where we can shine a little light we should. Therefore I agree that the intermediate names should be shown. (I also agree that the root CA should always be shown on the chrome, as otherwise users think Mozilla verified the site. And Mozilla is responsible.) The second question is: Should we change the string in the display of the *root* certificate from VeriSign, Inc. to Norton. My answer is no, because AFAICT this field should contain the legal name of the organization that owns the root certificate. In this case, it would be Symantec Corporation or VeriSign, Inc. depending on the new corporate structure of VeriSign. If Symantec changes the legal name of this organization to Norton then this would be an acceptable and required change. (However, that is impossible, because US law requires businesses include Inc., Corporation, LLC., etc in their legal name.) Two things: You have to get that string from somewhere. I'm guessing it is either the O in the cert, or it is some cached name in the root list. Which doesn't show intermediates... currently. 2. Relying on the O to show the proper name (legal?) is nice but unreliable. Until vendors do due diligence on CAs' names to the same extent CAs claim they do it on their subscribers, you'll get a mishmash of approaches. This is no easy question, you'll run into all sorts of difficulties trying to establish a standard approach - certificates and x509 are not really a good place for semantic standardisation. The third question is: Should the UI replace the display of the O= field of *intermediate* certificates that chain to Symantec/VeriSign's roots to Norton when the value is VeriSign, Inc. My answer is no. See the recent TrustWave incident for motivation. It is important to display the information in the intermediate certificates exactly as we received it in the certificate. We have too many more important things to do. And, our users do not benefit from such a change. Yes, exactly as found in the cert. You are the browser, they are the
