Closed
Bug 418038
Opened 18 years ago
Closed 13 years ago
Mozilla should have an EV certificate
Categories
(mozilla.org Graveyard :: Server Operations: Projects, task)
mozilla.org Graveyard
Server Operations: Projects
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: info, Unassigned)
References
()
Details
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b4pre) Gecko/2008021607 Minefield/3.0b4pre
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b4pre) Gecko/2008021607 Minefield/3.0b4pre ID:2008021607
The better identity verification described in http://en.www.mozilla.com/en/firefox/3.0b3/releasenotes/ sounds great, 'twould be nice if www.mozilla.org and bugzilla.mozilla.org implemented it.
Reproducible: Always
Steps to Reproduce:
1. Go to https://www.mozilla.org or https://bugzilla.mozilla.org
2. Click the "favicon"
Actual Results:
You don't get the happy extended green in the location field.
When you click, "Larry" is blue and the text is
"You are connected to
mozilla.org
which is run by
(no information provided)"
Expected Results:
Seems a nice opportunity to promote the feature and give some more information about mozilla.org. (The 3.0b3 release notes point you to bleedin' British Airways to try out the feature!)
The Easter Egg opportunities for the site info for mozilla.org are endless. I mention APNG support, and "Larry" from http://lyricwiki.org/The_Floaters:Float_On , take it from there :-) ;-)
|
||
Updated•18 years ago
|
Assignee: nobody → server-ops
Component: *.mozilla.org → Server Operations
Product: Websites → mozilla.org
QA Contact: other-mozilla-org → justin
Summary: implement the cool FF3 Identity verification on Mozilla sites (EV Certs) → Mozilla should have an EV certificate
Version: unspecified → other
|
||
Comment 1•18 years ago
|
||
Standard single-domain EV cert from Equifax (our current SSL vendor) is $899. I can't find a price listing for a wildcard EV cert. As far as I can tell they don't offer one. Given that the equivalent non-EV single-domain cert is $399, a non-EV wildcard cert is $999, a wildcard EV cert would likely be $1499 if they do offer it.
|
|
||
Comment 2•18 years ago
|
||
http://www.networksolutions.com/SSL-certificates/ev.jsp states "Wildcard customers should note that industry guidelines prohibit the issuance of wildcard EV Certificates. To reap the benefits of an EV Certificate for their Web site, they may want to purchase an EV Certificate for their main domain and retain their current Wildcard Certificate to cover their sub-domains."
|
|
||
Comment 3•18 years ago
|
||
I was kinda guessing as much although I hadn't found a reference to it yet.
|
||
Comment 4•18 years ago
|
||
Punting to Justin for decision and certificate.
Assignee: server-ops → justin
|
||
Comment 5•18 years ago
|
||
this is ~$1k, per site, per year. copying Jonathan to see if he thinks we really need this, and for which sites.
|
|
||
Comment 6•18 years ago
|
||
It's an expensive and sort of irksome process to go through just to trumpet the feature. My take all along has been that this is useful information, but that it's up to individual organizations (companies, governments, etc.) to decide whether the trust relationships their users are forming with them would be helped by it, and whether that's worth the costs.
I guess we do have trouble with other people using the Firefox/Mozilla name on websites that have nothing to do with us, so EV might help reassure people that they are somewhere real.
Still though - it's a high outlay, and the trust decisions most of our SSL sites (bugzilla, litmus, etc) require are really not about disclosing identity information beyond maybe an email address. If we got it for any sites, it would be ones where it was most important that people knew they were getting the real deal - maybe AMO, or the store, where people are making a choice about taking real risks (downloading software, sending financial details). I think EV certs have value, I'm just not sure they're the right tool for our job.
I hear the argument about how it would be nice to demo the technology we choose to implement, but I really far prefer us to link to other sites for that. We're here to make the web better - the things we spend time on should be things we can point to in the world outside Mozilla as being important. It would be a bit of an embarrassment if the only example we had of a technology was our own ""hello world" example.
If we identify specific sites where extra identification seems appropriate, we can take those case by case, but I don't think we should buy one just to have it.
|
|
||
Comment 7•18 years ago
|
||
Talked to Jonathan - at this point there doesn't seem to be a compelling reason to spend the money and go through the effort. That said, happy to look at other sites in the future if the reasons for it make the effort worth while.
Status: UNCONFIRMED → RESOLVED
Closed: 18 years ago
Resolution: --- → WONTFIX
|
|
||
Comment 10•15 years ago
|
||
I've seen this raised quite a bit lately.
Have things changed since 2008? Is it possible get a wildcard EV cert now? Are we unifying our domains to a point where it makes more sense to have an EV cert now than in the past?
I assume cost isn't the issue if we only need it for a few sites.
Status: RESOLVED → REOPENED
Ever confirmed: true
Resolution: WONTFIX → ---
|
|
||
Comment 11•15 years ago
|
||
Another bonus side effect: with our focus on telling the world that Mozilla is a non-profit foundation lately, having the EV say "Mozilla Foundation (US)" would further reinforce this message.
|
|
||
Comment 12•15 years ago
|
||
And if cost is the issue, I assume we could "fake" an EV for Mozilla? With this add an exception and hardcode the EV cert (we still have SSL after all) in Firefox.
Currently clicking on the favicon of https://www.mozilla.com/en-US/firefox/central/ brings up a "This web site does not provide identity information" message, and this is where the "Instant Website ID" feature is introduced. Not a very good first experience for the user.
|
|
||
Comment 13•15 years ago
|
||
(In reply to comment #10)
> Have things changed since 2008? Is it possible get a wildcard EV cert now?
The EV standards do not permit wildcard EV certificates.
(In reply to comment #12)
> And if cost is the issue, I assume we could "fake" an EV for Mozilla? With this
> add an exception and hardcode the EV cert (we still have SSL after all) in
> Firefox.
Not going to happen. Mozilla isn't in the business to become its own CA, which is what that would require.
|
|
||
Comment 14•15 years ago
|
||
Cost is not an issue. I'm merely asking if the existing EV cert on addons.mozilla.org can also work for this purposes.(In reply to comment #11)
> Another bonus side effect: with our focus on telling the world that Mozilla is
> a non-profit foundation lately, having the EV say "Mozilla Foundation (US)"
> would further reinforce this message.
That's harder to do because the entity buying the cert and managing the servers they run on is not the Foundation. It's why AMO shows "Mozilla Corporation".
|
|
||
Comment 15•15 years ago
|
||
(In reply to comment #14)
> Cost is not an issue. I'm merely asking if the existing EV cert on
> addons.mozilla.org can also work for this purposes.
I believe you may be confusing this bug with bug 639937.
|
|
||
Comment 16•15 years ago
|
||
I wasn't but failed to delete that comment. The rest stands though!
|
|
||
Updated•14 years ago
|
Assignee: justin → nobody
Component: Server Operations → Server Operations: Projects
QA Contact: justin → mrz
|
|
||
Comment 17•13 years ago
|
||
I believe this is resolved? www.mozilla.org and addons.mozilla.org are both EV certs, and we do this regularly now for sites/domains that can justify it. The former is under Mozilla Foundation, and the latter is under Mozilla Corporation.
Status: REOPENED → RESOLVED
Closed: 18 years ago → 13 years ago
Resolution: --- → FIXED
|
Assignee | |
Updated•11 years ago
|
Product: mozilla.org → mozilla.org Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•