574730 - Inaccurate explanation of the term 'signature'

Status: RESOLVED WONTFIX

(www.mozilla.org :: Pages & Content, defect)

Description

[Tadeus Prastowo]

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.19) Gecko/2010040116 Ubuntu/9.04 (jaunty) Firefox/3.0.19
Build Identifier: 

Since a certificate can mean a public key certificate or a personal certificate, I propose that the word 'certificate' used in the paragraph is replaced with 'personal certificate' for the sake of clarity (i.e., we sign digital objects using a private key not a public key certificate).

Reproducible: Always

Steps to Reproduce:
1. Just visit the URL.
Actual Results:  
[Unclear whether certificate means public key certificate or personal certificate]

Signature
    By using a certificate, a developer can sign a web page and its associated code. A signing program, like Netscape's SignTool first compresses the files to be signed. The program uses the user's certificate to generate a signature unique to the user and the signed files. This signature is included with the files in a JAR file. If the contents of the JAR file are modified after signing, the user's browser will be able to tell, and the signature will be invalid.

Expected Results:  
[It is clear that one can sign digital objects using the private key contained in a personal certificate]

Signature
    By using a personal certificate, a developer can sign a web page and its associated code. A signing program, like Netscape's SignTool first compresses the files to be signed. The program uses the user's personal certificate to generate a signature unique to the user and the signed files. This signature is included with the files in a JAR file. If the contents of the JAR file are modified after signing, the user's browser will be able to tell, and the signature will be invalid.

Comment 1

[Tadeus Prastowo]

Since the term 'Personal Certificate' is used to mean the certificate that is
intended for personal usage as opposed to a corporate usage [1,2], I propose
that the words 'sign with a certificate' are either replaced with 'sign with
the private key of the corresponding certificate' or simply dropped.

So, here is how the expected result should be:

Signature
    By using the corresponding private key of the public key contained in a certificate, a developer can sign a web page and its associated
code. A signing program, like Netscape's SignTool first compresses the files to
be signed. The program uses the private key to generate a signature
unique to the user and the signed files. This signature is included with the
files in a JAR file. If the contents of the JAR file are modified after
signing, the user's browser will be able to tell, and the signature will be
invalid.

[1] http://security.fnal.gov/pki/what_is_cert.html#personal
[2] http://fiatlux.zeitform.info/en/instructions/wot.html

Comment 2

[Chris More [:cmore]]

Closing old Mozilla.org website bugs due to them not being relevant to the new Python-based Bedrock system. Re-open if this is a critical bug and should be resolved on the new system too.

Comment 3

[Samuel Sidler (:ss)]

I'm not sure how in the world this bug would've been fixed by some "Bedrock" system.

Comment 4

[Chris More [:cmore]]

Hi Samuel. It is indirectly related to Bedrock and Bedrock is just the code name for www.mozilla.org implementation of Django. The content for this bug needs to be moved to another location and that does not make this bug invalid. In the future, www.mozilla.org will be all Bedrock.

Yes, this is not fixed, but this is a bigger discussion that needs to happen on where this content should go.

Comment 5

[Kohei Yoshino [:kohei]]

This page has been archived some time ago.