Closed Bug 481723 Opened 15 years ago Closed 15 years ago

entrust.net CA shows up as Verified by: "Trusted Secure Certificate Authority"

Categories

(CA Program :: CA Certificate Root Program, task)

Product:
CA Program
Component:
CA Certificate Root Program
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED INVALID

People

(Reporter: scientes-bugs+mozilla-6d4590a7b797c005d0b3, Assigned: hecker)

References

(
URL
)

Details

User-Agent:       Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.6) Gecko/2009020911 Firefox/3.0.6
Build Identifier: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.6) Gecko/2009020911 Firefox/3.0.6

<quote><Mardeg> that's like saying "Erotic Orgasmic Porn Site"</quote>

This is the worst possible name given to a CA certificate, as it says absolutely nothing about who is responsible for verifying banks, storefronts, and all the other important actions Firefox users rely on SSL for.

If Mozilla will admit certificates with such wholesomely vague and misleading Organization (O) lines, then at least there should be a display of the corporation that is validating and taking liability for these certificates. The only way to get any information is to directly view the certificates. 

Reproducible: Always
OS: Linux → All
Hardware: x86_64 → All
Changing the "friendly name" is an NSS-level change, I think, but deciding what our process is for changing a friendly name because it is insufficiently clear is a CA Certificates policy issue -> moving components to get Frank's take.
Assignee: nobody → kathleen95014
Component: Security → CA Certificates
Product: Firefox → mozilla.org
QA Contact: firefox → ca-certificates
Version: unspecified → other
Assignee: kathleen95014 → hecker
And just what's wrong with 

This is not a "friendly name" or "nickname" issue, IMO.  This is not a 
name that Mozilla has applied to this CA and therefore can change.  

The string "Trusted Secure Certificate Authority" is the name of the CA
that issued the server cert in question, as found in the issuer's cert 
itself.  The full CA name, as given in the cert, is:

CN = Trusted Secure Certificate Authority
O = Trusted Secure Certificate Authority
C = US

There's not much else PSM can display besides what's in that name.
I think this is a complaint for enTrust, not for Mozilla.
That's an intermediate CA which has this name in the CN field. We should check with their CPS first if that's according to their own policy. Second we should discourage such naming conventions. Third we should add it to the Mozilla CA Policy.
(In reply to comment #2)
> And just what's wrong with 
> 
> This is not a "friendly name" or "nickname" issue, IMO.  This is not a 
> name that Mozilla has applied to this CA and therefore can change.  
> 
> The string "Trusted Secure Certificate Authority" is the name of the CA
> that issued the server cert in question, as found in the issuer's cert 
> itself.  The full CA name, as given in the cert, is:
> 
> CN = Trusted Secure Certificate Authority
> O = Trusted Secure Certificate Authority
> C = US
> 
> There's not much else PSM can display besides what's in that name.
> I think this is a complaint for enTrust, not for Mozilla.

Ah, so it is - my bad, sorry. I thought this was our naming.  I agree then, outside of a tangential policy question about whether we want CAs to not do this, there's no Mozilla bug here.

Frank - close it off, or do you want it to track the policy question Eddy raises?
Alternatively we could opt to always show the root CA as the issuer. This could be an interesting option in any case. Guess that would be a PSM issue then.
With more stuff on MD5 colissions i believe it was taken out of microsofts policy page, but i remember that they had such a policy posted.

Yeah i understand you cannot change any of these fields, but having such a generic name on a root certificate just doesn't seem right so i wanted to make note.
(In reply to comment #4)
> Frank - close it off, or do you want it to track the policy question Eddy
> raises?

I think the best approach is to close the bug as INVALID, since this is not actually a Mozilla bug. That's what I'm doing. The NSS and PSM code is doing exactly what it's designed to do, and supposed to do: print the name of the issuing CA.

As for the policy angle, I think the best we can do for now is to add this to the list of "problematic practices", which I'll go ahead and do. I don't think showing the root CA as the issuer (instead of the actual issuing CA) is the right thing to do; I think doing that would mess up lots of other things.
Status: UNCONFIRMED → RESOLVED
Closed: 15 years ago
Resolution: --- → INVALID
Product: mozilla.org → NSS
Product: NSS → CA Program
You need to log in before you can comment on or make changes to this bug.