Closed Bug 1123915 Opened 9 years ago Closed 9 years ago

Where should we put "Preliminary" in the cert?

Categories

(addons.mozilla.org Graveyard :: Developer Pages, defect, P1)

Product:
addons.mozilla.org Graveyard
Component:
Developer Pages
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: clouserw, Assigned: dveditz)

References

Details

In the Organization?  In the OU?  What should it look like?

This bug comes from a discussion on #amo.  Dan said he'd try to find the person to make the decision.  Once it's made please assign to rtilder to adjust trunion.
It's not so much about the word "Preliminary" as much as what we want the UI around signed add-ons to look like. The existing install UI shows the Common Name (CN) field, or if that's blank the Organization (O). The new UI won't want to show the CN because that's going to be the add-on ID which isn't going to mean anything to the user (especially the UUID or Jetpack ones).

Until today I was assuming we'd put everything we want in the O field for simplicity. Folks on #amo have pointed out that logically it's the same "organization" doing both full and preliminary reviews and that we ought to just put "Mozilla" in the org field and use the Organization Unit (OU) to distinguish full and preliminary reviews.

Normally I'm a big supporter of logic, but in this case we should work backwards from what we want users to see when they install something. Since these signed add-ons can be taken from AMO and hosted elsewhere--in fact, some will ONLY be hosted elsewhere--it is crucial that users be able to distinguish between "Mozilla Blessed" and "We Took A Glance" signatures. We should start with what we want users to SEE in the UI and work back from there.

The first big question is whether we want addons to be signed by "Mozilla" plus some qualifier or if we don't want to claim so much responsibility for the contents. We might not want it to be Mozilla the org because users may interpret that as "Mozilla Corporation", not all reviewers work for us, and some of the content will be too objectionable to be hosted on AMO itself.

If we're fine with "Mozilla <something>" (or "Mozilla Corporation <something>") then a O+' '+OU scheme can work. That could lead to UI strings like
   Mozilla Add-on Review
   Mozilla Preliminary Add-on Review
     or "Mozilla Add-on Review (Preliminary)"

If we want a little more distance perhaps we want
  addons.mozilla.org review
  preliminary addons.mozilla.org review

Since I believe the preliminary review thing is going to get abused my preference is for leading with the word Preliminary for those reviews. Or use PRELIMINARY in all caps so it sticks out.

I suppose the word doesn't have to be PRELIMINARY. That matches the current wording on AMO
https://addons.mozilla.org/en-US/faq#preliminary
Other alternatives include
  EXPERIMENTAL
  BETA
  UN-TESTED

Another option would be to take the word "Mozilla" out when it's preliminary:
   Mozilla Add-on Review
   Preliminary Add-on Review

Since this is a user-visible part of the feature I'd like the product team to sign off on whichever one we're going to use.
Flags: needinfo?(gavin.sharp)
"What do we want to the user to see" is ultimately a UX decision. Is there a desktop UX bug covering the "new UI" yet?

"How we make the user see that technically" will likely involve some engineering input as part of implementing that design, and I think only then will we have a concrete answer to "what goes in the cert". I imagine this particular decision is not pressing, right?
Flags: needinfo?(gavin.sharp)
Meant to needinfo Mossop re: the UX bug question.
Flags: needinfo?(dtownsend)
(In reply to :Gavin Sharp [email: gavin@gavinsharp.com] from comment #2)
> "How we make the user see that technically" will likely involve some
> engineering input as part of implementing that design, and I think only then
> will we have a concrete answer to "what goes in the cert". I imagine this
> particular decision is not pressing, right?

It's blocking us from doing the server side of this (the signing of the add-ons) so I think it's pretty important to decide.
(In reply to :Gavin Sharp [email: gavin@gavinsharp.com] from comment #2)
> "What do we want to the user to see" is ultimately a UX decision. Is there a
> desktop UX bug covering the "new UI" yet?

Bug 1120996
Flags: needinfo?(dtownsend)
(In reply to Wil Clouser [:clouserw] from comment #4)
> It's blocking us from doing the server side of this (the signing of the
> add-ons) so I think it's pretty important to decide.

Do we actually need to lock in the cert now?
(In reply to :Gavin Sharp [email: gavin@gavinsharp.com] from comment #6)
> (In reply to Wil Clouser [:clouserw] from comment #4)
> > It's blocking us from doing the server side of this (the signing of the
> > add-ons) so I think it's pretty important to decide.
> 
> Do we actually need to lock in the cert now?

If "lock in the cert" means we know what fields we're using to differentiate between full review and preliminary review, yes, we need to figure that out, because we can't finish the server side code that puts those fields in and we can't finish the client side code which needs to know what it's looking for.
Can't we use a cert field that's not related to what's displayed to the user for that?
That's a question for Dan.  It makes no difference to me what fields we use.
Flags: needinfo?(dveditz)
It's software, yes we can do it either way.
Flags: needinfo?(dveditz)
Dan, what's the best field to use then?  I'd say you and Mossop should just work together and pick something to contain the attributes.  +1 on not using something user-visible, but I don't know enough about the semantics of the certificate format to suggest something.
Flags: needinfo?(dveditz)
If you don't want it user-visible then we should preserve Organization (O=) as a string we might want to expose to users (especially for the 3rd-party-certs we will issue later--I don't want to say Mozilla certified the AVG toolbar!) and put the string "Preliminary" in the Organization Unit (OU=).
Flags: needinfo?(dveditz)
Thanks all.  Daniel - expect Preliminary in OU.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
No longer blocks: 1126898
Product: addons.mozilla.org → addons.mozilla.org Graveyard
You need to log in before you can comment on or make changes to this bug.