Closed Bug 500333 Opened 15 years ago Closed 4 years ago

Cert Viewer doesn't recognize and display some standard EV name attribute OIDs

Categories

(Core :: Security: PSM, defect, P5)

Product:
Core
Component:
Security: PSM
Version:
1.9.1 Branch
Type:
defect

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: nelson, Unassigned)

References

(
URL
)

Details

(Whiteboard: [psm-cert-manager][psm-backlog]) 

The EV cert standard recommends and/or requires that certain attributes be
included in the subject name of an EV cert.  PSM does not recognize all the
known EV attribute type OID, and so the cert viewer displays these attributes
with a rather user-unfriendly display.  

For example:  When viewing the SSL server cert at the URL cited above, 
we see the following attributes in the name:

 CN = www.isecpartners.com
 OU = Secure Link EV SSL
 OU = Information Technology
 O = iSEC Partners, Inc.
 Object Identifier (2 5 4 9) = 115 Sansome Street
 Object Identifier (2 5 4 9) = Suite 1005
 L = San Francisco
 ST = CA
 Object Identifier (2 5 4 17) = 94104
 C = US
 Object Identifier (2 5 4 15) = V1.0, Clause 5.(b)
 Object Identifier (1 3 6 1 4 1 311 60 2 1 1) = North Las Vegas
 Object Identifier (1 3 6 1 4 1 311 60 2 1 2) = Nevada
 Object Identifier (1 3 6 1 4 1 311 60 2 1 3) = US
 Object Identifier (2 5 4 5) = E0936482006-7

Notice the 8 unrecognized name attribute OIDs there.  They include:

Defined in X.500 family
  (see http://www.alvestrand.no/objectid/2.5.4.html for the whole list)
2 5 4 5                  = serial Number 
2 5 4 9                  = street Address 
2 5 4 15                 = business Category 
2 5 4 17                 = postal Code 

Defined by CAB Forum, reserved by Microsoft
   (see http://www.cabforum.org/EV_Certificate_Guidelines_V11.pdf page 20)
1 3 6 1 4 1 311 60 2 1 1 = jurisdiction Of Incorporation Locality Name
1 3 6 1 4 1 311 60 2 1 2 = jurisdiction Of Incorporation State Or Province Name
1 3 6 1 4 1 311 60 2 1 3 = jurisdiction Of Incorporation Country Name
A Patch for this bug would probably resemble the patch for bug 323903.
Assignee: kaie → nobody
Whiteboard: [psm-cert-manager]
Note that Chrome doesn't recognize these OIDs either.
I wouldn't be opposed to implementing this for the upcoming cert viewer implementation, but I don't think it's worth spending time on adding this for the current implementation.
Component: Security: UI → Security: PSM
Priority: -- → P5
Whiteboard: [psm-cert-manager] → [psm-cert-manager][psm-backlog]
(In reply to David Keeler [:keeler] (use needinfo?) from comment #3)
> upcoming cert viewer implementation

For reference, the tracking bug for this work is Bug 1294897.
This issue has been recently discussed during the latest CA/B Forum F2F 39 meeting (Oct 2016). (https://cabforum.org/2016/10/19/2016-10-19-20-f2f-meeting-39-minutes/).

The affected files for Mozilla products seem to be:

https://dxr.mozilla.org/mozilla-central/source/security/manager/locales/en-US/chrome/pipnss/pipnss.properties#54 and

https://dxr.mozilla.org/mozilla-central/source/security/manager/ssl/nsNSSCertHelper.cpp#242

Although it seems pretty straightforward to produce a patch, I am not sure what other implications exist. It would be nice for more experienced programmers to push for a patch and improve the Certificate details view.

New certificate viewer.

Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.