483031 - Firefox should show the CA root as the issuer of certificates

Status: RESOLVED WONTFIX

(Core :: Security: PSM, defect)

Description

[Eddy Nigg (StartCom)]

Currently on mouse-over when hovering over the Identity icon, the Larry popup and tooltip shows:

Verified by: (immediate issuer)

It was suggested during discussions at m.d.t.crypto that the issuer shown should be the root CA which takes the ultimate responsibility about the issued certificate and not the immediate issuer in case intermediate CA certificates are involved. This would make it clearer which CA is responsible.

Comment 1

[Frank Hecker]

Eddy, I don't think this is a good idea. Most notably, it obscures to the user information about which CA actually issued the certificate and verified the information in the certificate. This is less of a problem in cases where the root CA and the issuing CA are run by the same organization, but I think it's a major problem where the root and issuing CAs are run by different organizations.

Comment 2

[Eddy Nigg (StartCom)]

At the discussion there were two problems:

First some CAs misuse the current behavior and use in the organization field promotional statements (of the intermediate CA certificate). I can't find the bug right now which reported it. In this case Mozilla has no control what it shows to the user. The verified by phrase could have been misunderstood and misleading.

The second argument was that some sub CAs which are external to the parent CA, are not really responsible and it's difficult to track or understand who is.

I think those are valid points which should receive some attention and consideration. We could discuss this at m.d.s.p. perhaps.

Comment 3

[Eddy Nigg (StartCom)]

The bug is of course 481723 which you rejected. Question: How would adding it to the problematic practices have any effect on Entrust in this particular case?

Comment 4

[Kai Engert (:KaiE:)]

reassign bug owner.
mass-update-kaie-20120918