Re: Mozilla Team-about the upcoming branding changes at Symantec/VeriSign, and working to implement them in Mozilla/Firefox

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

Re: Mozilla Team-about the upcoming branding changes at Symantec/VeriSign, and working to implement them in Mozilla/Firefox

Brian Smith-31
Geoffrey Noakes wrote:
>
> The *only* change we are asking of Mozilla is to change "Verified by:
> VeriSign, Inc." in the hover-over box to "Verified by Norton":

In Firefox, we show the name of the organization that issued the intermediate certificate (the subject O= field of the intermediate certificate) in the hover box. This information comes directly from the intermediate certificate.

I have been told, but haven't verified, that other browsers show the name of the organization that issued the root certificate (the subject O= field of the root certificate) in their UI.

The first question is: Should we change our UI to be the same as other browsers? My answer is no. It *is* a good idea to show the root certificate's organization name in this part of the UI. But, it is also important to show all the intermediate organizations' names in this part of the UI too. See the recent TrustWave incident for motivation. If others agree, then I will file a bug about implementing a change to display the O= field from all CA certificates in the chain in this UI.

The second question is: Should we change the string in the display of the *root* certificate from "VeriSign, Inc." to "Norton." My answer is no, because AFAICT this field should contain the legal name of the organization that owns the root certificate. In this case, it would be "Symantec Corporation" or "VeriSign, Inc." depending on the new corporate structure of VeriSign. If Symantec changes the legal name of this organization to "Norton" then this would be an acceptable and required change. (However, that is impossible, because US law requires businesses include "Inc.," "Corporation," "LLC.," etc in their legal name.)

The third question is: Should the UI replace the display of the O= field of *intermediate* certificates that chain to Symantec/VeriSign's roots to "Norton" when the value is "VeriSign, Inc." My answer is no. See the recent TrustWave incident for motivation. It is important to display the information in the intermediate certificates exactly as we received it in the certificate. We have too many more important things to do. And, our users do not benefit from such a change.

I am interested in hearing other peoples' thoughts on the matter.

Cheers,
Brian
--
dev-tech-crypto mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-crypto
Reply | Threaded
Open this post in threaded view
|

Re: Mozilla Team-about the upcoming branding changes at Symantec/VeriSign, and working to implement them in Mozilla/Firefox

Eddy Nigg (StartCom Ltd.)
On 03/09/2012 07:56 PM, From Brian Smith:
> If others agree, then I will file a bug about implementing a change to display the O= field from all CA certificates in the chain in this UI.

My question would be how you would do that, is there enough UI real
estate for that? If there is, it would be terrific. Otherwise I assume
that the current UI is the most correct implementation.

> The second question is: Should we change the string in the display of the *root* certificate from "VeriSign, Inc." to "Norton."

No, this is a brand name and not the incorporated organization name.
However in case you want to implement something different than using the
organization field of the issuer certificate, than it should be probably
"Symantec Inc.". In fact this they could easily achieve themselves by
issuing new intermediate CA certificates from the Verisign root with the
correct organization field.

Just a small warning - they should not attempt to use "Norton" in the
organization field, this would clearly violate the Mozilla policy and
Baseline Requirements.

--
Regards

Signer:  Eddy Nigg, StartCom Ltd.
XMPP:    [hidden email]
Blog:   http://blog.startcom.org/
Twitter: http://twitter.com/eddy_nigg

--
dev-tech-crypto mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-crypto
Reply | Threaded
Open this post in threaded view
|

Re: Mozilla Team-about the upcoming branding changes at Symantec/VeriSign, and working to implement them in Mozilla/Firefox

Wan-Teh Chang-3
In reply to this post by Brian Smith-31
On Fri, Mar 9, 2012 at 9:56 AM, Brian Smith <[hidden email]> wrote:
>
> The second question is: Should we change the string in the display of the *root* certificate from "VeriSign, Inc." to "Norton."

Ideally this string should come from the certificate.  The fundamental
purpose of a certificate is to bind a public key to a name.  If the
displayed name is not in the certificate, that will confuse the user
when he opens the certificate viewer dialog and sees no mention of
"Norton" in the certificate.

Wan-Teh
--
dev-tech-crypto mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-crypto
Reply | Threaded
Open this post in threaded view
|

Re: Mozilla Team-about the upcoming branding changes at Symantec/VeriSign, and working to implement them in Mozilla/Firefox

ianG-2
In reply to this post by Brian Smith-31
On 10/03/12 04:56 AM, Brian Smith wrote:

> Geoffrey Noakes wrote:
>>
>> The *only* change we are asking of Mozilla is to change "Verified by:
>> VeriSign, Inc." in the hover-over box to "Verified by Norton":
>
> In Firefox, we show the name of the organization that issued the intermediate certificate (the subject O= field of the intermediate certificate) in the hover box. This information comes directly from the intermediate certificate.
>
> I have been told, but haven't verified, that other browsers show the name of the organization that issued the root certificate (the subject O= field of the root certificate) in their UI.
>
> The first question is: Should we change our UI to be the same as other browsers? My answer is no.

Go!  Brian, I'll always support Mozilla doing it's own stuff in
security.  That's why I currently like Chrome and dislike Firefox :)
Unfortunately, too much of security is done herd-like.  So consequently
the UI is worst practices - the lowest common denominator effect - what
the browsers could most agree on and suffer least on.

If you can get Mozilla to start breaking things in Firefox's browser,
all power to you.  We can only improve by breaking things.  Competition
in security is the only way forward.

> It *is* a good idea to show the root certificate's organization name in this part of the UI. But, it is also important to show all the intermediate organizations' names in this part of the UI too. See the recent TrustWave incident for motivation. If others agree, then I will file a bug about implementing a change to display the O= field from all CA certificates in the chain in this UI.

The root is responsible.  The intermediate organisation is responsible
to the root, but Mozilla holds the root entirely and completely
responsible for meeting the party.  This has recently been affirmed over
on the policy group, although there are some holdouts in the CAs that
are trying to muddy the waters so they can still distro the
responsibility away from them.  Let's stick to the principles.

The root is responsible.

However, according to the principle of delegation, the root can delegate
any of its functions - detailed actions - to any party, as long as it
maintains its responsibility.  Indeed the root organisation always will
delegate the functions to other agents, because a corporation isn't able
to do anything by itself, it's not corporeal, it's a legal myth.
Typically this means delegation to employees, but also to RAs being
other organisations that have other employees.

No matter the details, the root remains responsible.  So from that pov,
the root should always be shown.

However it seems to be widespread but slippery behaviour in the industry
to delegate entire CA functioning to a new organisation to act as a CA
in and of its own right.  Whatever we want or try to want at Mozilla, it
seems futile to ignore the rest of the world, and where we can shine a
little light we should.

Therefore I agree that the intermediate names should be shown.

(I also agree that the root CA should always be shown on the chrome, as
otherwise users think Mozilla verified the site.  And Mozilla is
responsible.)


> The second question is: Should we change the string in the display of the *root* certificate from "VeriSign, Inc." to "Norton." My answer is no, because AFAICT this field should contain the legal name of the organization that owns the root certificate. In this case, it would be "Symantec Corporation" or "VeriSign, Inc." depending on the new corporate structure of VeriSign. If Symantec changes the legal name of this organization to "Norton" then this would be an acceptable and required change. (However, that is impossible, because US law requires businesses include "Inc.," "Corporation," "LLC.," etc in their legal name.)

Two things: You have to get that string from somewhere.  I'm guessing it
is either the "O" in the cert, or it is some cached name in the root
list.  Which doesn't show intermediates... currently.

2.  Relying on the "O" to show the proper name (legal?) is nice but
unreliable.  Until vendors do due diligence on CAs' names to the same
extent CAs claim they do it on their subscribers, you'll get a mishmash
of approaches.  This is no easy question, you'll run into all sorts of
difficulties trying to establish a standard approach - certificates and
x509 are not really a good place for semantic standardisation.

> The third question is: Should the UI replace the display of the O= field of *intermediate* certificates that chain to Symantec/VeriSign's roots to "Norton" when the value is "VeriSign, Inc." My answer is no. See the recent TrustWave incident for motivation. It is important to display the information in the intermediate certificates exactly as we received it in the certificate. We have too many more important things to do. And, our users do not benefit from such a change.


Yes, exactly as found in the cert.  You are the browser, they are the
certification authority.  If they certified names in the certs, that's
something you should take on at face value.  Otherwise you are
infringing on the original claims made and that has consequences that
bounce up and down the legal chain.

(See above the comment about Mozilla claiming to have verified the site
by absence of any alternate theory presented on the chrome.  There are
other misstruths in the browser like "you do not trust this site" ...
but that's a wider rant.  As BR comes through and more of the legal
links are written down end-to-end, you'll be under more pressure to
clean up the claims you make to users.)


> I am interested in hearing other peoples' thoughts on the matter.
>
> Cheers,
> Brian


All, just my jotted off thoughts, others usually disagree.

iang
--
dev-tech-crypto mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-crypto
Reply | Threaded
Open this post in threaded view
|

Re: Mozilla Team-about the upcoming branding changes at Symantec/VeriSign, and working to implement them in Mozilla/Firefox

Anders Rundgren
In reply to this post by Eddy Nigg (StartCom Ltd.)
It is hard to see that GUI changes would have any function except for
the very few who understand the difference between roots and sub-CAs.

It is similar to the EV green bar.  It doesn't make any difference for
"normal" people.

The recent screw-ups didn't invalidate the system; it rather made the
certificates vendors a bit more concerned about their operations which
is good.  Screw-ups is the road to improvements :-)

-anders


--
dev-tech-crypto mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-crypto
Reply | Threaded
Open this post in threaded view
|

Re: Mozilla Team-about the upcoming branding changes at Symantec/VeriSign, and working to implement them in Mozilla/Firefox

Gervase Markham
In reply to this post by Brian Smith-31
On 09/03/12 17:56, Brian Smith wrote:
> The first question is: Should we change our UI to be the same as
> other browsers? My answer is no. It *is* a good idea to show the root
> certificate's organization name in this part of the UI. But, it is
> also important to show all the intermediate organizations' names in
> this part of the UI too. See the recent TrustWave incident for
> motivation.

I don't have a strong opinion at the moment (although I may develop one
- iang's argument seems to me to have merit) on whether we show the
intermediate O field or the root one...

> If others agree, then I will file a bug about
> implementing a change to display the O= field from all CA
> certificates in the chain in this UI.

....but I do have a strong opinion that this solution is needless UI
complexity. It is our job to find out the most appropriate value to
show, and show it; we should not force the entire range on to the user.

> The second question is: Should we change the string in the display of
> the *root* certificate from "VeriSign, Inc." to "Norton." My answer
> is no, because AFAICT this field should contain the legal name of the
> organization that owns the root certificate. In this case, it would
> be "Symantec Corporation" or "VeriSign, Inc." depending on the new
> corporate structure of VeriSign. If Symantec changes the legal name
> of this organization to "Norton" then this would be an acceptable and
> required change. (However, that is impossible, because US law
> requires businesses include "Inc.," "Corporation," "LLC.," etc in
> their legal name.)

Quite so. The EV chrome is not a marketing tool.

> The third question is: Should the UI replace the display of the O=
> field of *intermediate* certificates that chain to
> Symantec/VeriSign's roots to "Norton" when the value is "VeriSign,
> Inc." My answer is no. See the recent TrustWave incident for
> motivation. It is important to display the information in the
> intermediate certificates exactly as we received it in the
> certificate. We have too many more important things to do. And, our
> users do not benefit from such a change.

See above; I think this question is moot given my answer there.

Gerv
--
dev-tech-crypto mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-crypto
Reply | Threaded
Open this post in threaded view
|

Re: Mozilla Team-about the upcoming branding changes at Symantec/VeriSign, and working to implement them in Mozilla/Firefox

ianG-2
On 12/03/12 21:56 PM, Gervase Markham wrote:

> On 09/03/12 17:56, Brian Smith wrote:
>> The first question is: Should we change our UI to be the same as
>> other browsers? My answer is no. It *is* a good idea to show the root
>> certificate's organization name in this part of the UI. But, it is
>> also important to show all the intermediate organizations' names in
>> this part of the UI too. See the recent TrustWave incident for
>> motivation.
>
> I don't have a strong opinion at the moment (although I may develop one
> - iang's argument seems to me to have merit) on whether we show the
> intermediate O field or the root one...
>
>> If others agree, then I will file a bug about
>> implementing a change to display the O= field from all CA
>> certificates in the chain in this UI.
>
> ...but I do have a strong opinion that this solution is needless UI
> complexity. It is our job to find out the most appropriate value to
> show, and show it; we should not force the entire range on to the user.
>
>> The second question is: Should we change the string in the display of
>> the *root* certificate from "VeriSign, Inc." to "Norton." My answer
>> is no, because AFAICT this field should contain the legal name of the
>> organization that owns the root certificate. In this case, it would
>> be "Symantec Corporation" or "VeriSign, Inc." depending on the new
>> corporate structure of VeriSign. If Symantec changes the legal name
>> of this organization to "Norton" then this would be an acceptable and
>> required change. (However, that is impossible, because US law
>> requires businesses include "Inc.," "Corporation," "LLC.," etc in
>> their legal name.)
>
> Quite so. The EV chrome is not a marketing tool.



This is a very complex area.  Security thinking for strong user
interaction would demand that the brand be shown (this is fairly
standard for example in credit card security the brand of the card
issuer is shown prominently ... it's part of the security model).
That's because brands are what users see and perceive, and therefore
brands are defensible in ways that corp names are not.

But for subscriber/EE certs, CAs/vendors have typically shown the legal
name of the certificate holders.  Typically this is justified as being
something that can be checked to some reasonable level (with a nod to
Philipp's post) however this is a supply side claim.  Typically the
legal name is not ever seriously presented as something that is useful
to users.  e.g., godaddy versus starfield.

 From this EE focus of "check the legal name, show it to the user"
paradigm perhaps it is thought sensible to do the same for CAs.  But
again, this seems to reduce back to logic like the EE case.

However ... it may be that the foundation is lacking - has any vendor
actually checked the legal name of CAs to the same extent as claimed in
say BR?  Checked with some state registry the existence of a filed
organisation of the name of the CA, confirmed who the signing officers
are, demanded their ID and signature on the application for root listing?

The point is not that you should do this ... but to question why you
would want to slavishly present the legal name of the CA?

For users, they want the brand.  That's what they are taught, and for
good marketing reasons.  The brand in question was Verisign, not
Verisign Inc.

Certainly, from this pov, if new roots where presented by Symantec Inc
with "Norton" in the O field, I'd not object.



iang


>> The third question is: Should the UI replace the display of the O=
>> field of *intermediate* certificates that chain to
>> Symantec/VeriSign's roots to "Norton" when the value is "VeriSign,
>> Inc." My answer is no. See the recent TrustWave incident for
>> motivation. It is important to display the information in the
>> intermediate certificates exactly as we received it in the
>> certificate. We have too many more important things to do. And, our
>> users do not benefit from such a change.
>
> See above; I think this question is moot given my answer there.
>
> Gerv

--
dev-tech-crypto mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-crypto
Reply | Threaded
Open this post in threaded view
|

Re: Mozilla Team-about the upcoming branding changes at Symantec/VeriSign, and working to implement them in Mozilla/Firefox

Florian Weimer
In reply to this post by Brian Smith-31
* Brian Smith:

> The first question is: Should we change our UI to be the same as
> other browsers? My answer is no. It *is* a good idea to show the
> root certificate's organization name in this part of the UI. But, it
> is also important to show all the intermediate organizations' names
> in this part of the UI too. See the recent TrustWave incident for
> motivation. If others agree, then I will file a bug about
> implementing a change to display the O= field from all CA
> certificates in the chain in this UI.

I don't think this is really helpful because intermediate certificates
often use pseudonyms or really misleading names.

A typical chain looks like this:

  AddTrust External CA Root      AddTrust AB
    UTN-UserFirst-Hardware         The USERTRUST Network
      EuropeanSSL Server CA          EUNETIC GmbH

Currently, the left-hand chain is shown in the certificate dialog, and
"EUNETIC GmbH" (which is not a pseudonym, unlike the rest) is shown by
the certificate information attached to the URL bar.

Speaking of the URL bar security information, the "which is run by"
label in the EV information is quite misleading because the EV process
does not ensure that the certificate subject runs the web site.  There
are even a few cases where the web site owner emphatically denies that
they are controlled by the certificate subject!

> The second question is: Should we change the string in the display
> of the *root* certificate from "VeriSign, Inc." to "Norton." My
> answer is no, because AFAICT this field should contain the legal
> name of the organization that owns the root certificate.

This is very desirable indeed, but it's a lot of work if intermediate
certificates are to be covered as well.
--
dev-tech-crypto mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-crypto