On 09/03/12 17:56, Brian Smith wrote:
> The first question is: Should we change our UI to be the same as
> other browsers? My answer is no. It *is* a good idea to show the root
> certificate's organization name in this part of the UI. But, it is
> also important to show all the intermediate organizations' names in
> this part of the UI too. See the recent TrustWave incident for
I don't have a strong opinion at the moment (although I may develop one
- iang's argument seems to me to have merit) on whether we show the
intermediate O field or the root one...
> If others agree, then I will file a bug about
> implementing a change to display the O= field from all CA
> certificates in the chain in this UI.
....but I do have a strong opinion that this solution is needless UI
complexity. It is our job to find out the most appropriate value to
show, and show it; we should not force the entire range on to the user.
> The second question is: Should we change the string in the display of
> the *root* certificate from "VeriSign, Inc." to "Norton." My answer
> is no, because AFAICT this field should contain the legal name of the
> organization that owns the root certificate. In this case, it would
> be "Symantec Corporation" or "VeriSign, Inc." depending on the new
> corporate structure of VeriSign. If Symantec changes the legal name
> of this organization to "Norton" then this would be an acceptable and
> required change. (However, that is impossible, because US law
> requires businesses include "Inc.," "Corporation," "LLC.," etc in
> their legal name.)
Quite so. The EV chrome is not a marketing tool.
> The third question is: Should the UI replace the display of the O=
> field of *intermediate* certificates that chain to
> Symantec/VeriSign's roots to "Norton" when the value is "VeriSign,
> Inc." My answer is no. See the recent TrustWave incident for
> motivation. It is important to display the information in the
> intermediate certificates exactly as we received it in the
> certificate. We have too many more important things to do. And, our
> users do not benefit from such a change.
See above; I think this question is moot given my answer there.