some issuers are blank

[monicachew]

We should get a sample to investigate more closely.

[mozkeeler]

I had a quick look - sometimes CAs don't have anything in the subject common name, which I think is what we're using as (part of) the lookup. We could fall back to the subject organizational unit or organization or something (if the entire subject is empty, that's definitely a bad thing).

[mozkeeler]

I did some exploratory work on identifying issuers by their Subject Organization, Subject Organizational Unit, and Subject Common Name (i.e. strings like "O=AusCERT, OU=Certificate Services, CN=AusCERT Server CA"). We can shorten them up on the frontend if their aren't any collisions. I think this makes our determination of whether or not a cert would verify under our root program a bit more accurate.