Find reasons for the SSL common name invalid error.

tools/metrics/histograms/histograms.xml

Index: tools/metrics/histograms/histograms.xml
diff --git a/tools/metrics/histograms/histograms.xml b/tools/metrics/histograms/histograms.xml
index a8e775366dbdec09a4589d952ea86135511b7f11..e640ebf0d79c2f9743b5439213b18702a0896bb0 100644
--- a/tools/metrics/histograms/histograms.xml
+++ b/tools/metrics/histograms/histograms.xml
@@ -9708,14 +9708,24 @@ Therefore, the affected-histogram name has to have at least one dot in it.
     enum="SSLNonAttackCauses">
   <owner>felt@chromium.org</owner>
   <summary>
-    Possible non-attack causes of the non-overridable SSL interstitial.
+    Possible non-attack causes of the non-overridable SSL interstitial. Many
+    errors are not reported in this histogram and new errors may be added
+    overtime, therefore one should not look at the breakdown of this histogram
+    (one bucket divided by the sum) because that will be inaccurate. Instead,
+    one should look at each bucket count divided by the total count of the type
+    of the SSL error that exists when it is recorded.

[Mark P, 2014/08/06 21:35:50]

"the total count of the type of the SSL error that exists when it is recorded"
where is this recorded?

I hope in rewriting that fragment with a pointer you'll end up explaining better
what it means because I don't understand the phrase right now either.

[radhikabhar, 2014/08/06 22:17:37]

Done.

   </summary>
 </histogram>
 
 <histogram name="interstitial.ssl.cause.overridable" enum="SSLNonAttackCauses">
   <owner>felt@chromium.org</owner>
   <summary>
-    Possible non-attack causes of the overridable SSL interstitial.
+    Possible non-attack causes of the overridable SSL interstitial. Many errors
+    are not reported in this histogram and new errors may be added overtime,
+    therefore one should not look at the breakdown of this histogram (one bucket
+    divided by the sum) because that will be inaccurate. Instead, one should
+    look at each bucket count divided by the total count of the type of the SSL
+    error that exists when it is recorded.
   </summary>
 </histogram>
 
@@ -48045,6 +48055,31 @@ Therefore, the affected-histogram name has to have at least one dot in it.
 <enum name="SSLNonAttackCauses" type="int">
   <int value="0" label="CLOCK_PAST: System clock set early"/>
   <int value="1" label="CLOCK_FUTURE: System clock set late"/>
+  <int value="2"
+      label="WWW_SUBDOMAIN_MATCH: Difference between the URL and the DNS is
+             www">
+    This cause is recorded if the ssl error is CERT_COMMON_NAME_INVALID.
+  </int>
+  <int value="3" label="SUBDOMAIN_MATCH: The URL is a subdomain of the DNS">
+    This cause is recorded if the ssl error is CERT_COMMON_NAME_INVALID and the
+    difference between the URL and the DNS name is not &quot;www&quot;.
+  </int>
+  <int value="4"
+      label="SUBDOMAIN_INVERSE_MATCH: The DNS is a subdomian of the URL">
+    This cause is recorded if the ssl error is CERT_COMMON_NAME_INVALID and the
+    difference between the DNS name and the DNS name is not &quot;www&quot;.
+  </int>
+  <int value="5"
+      label="SUBDOMAIN_OUTSIDE_WILDCARD: The URL is outside the scope of the
+             wildcard certificate">
+    This cause is recorded only if the ssl error is CERT_COMMON_NAME_INVALID, we
+    have received a wildcard certificate and the hostname is too broad for the

[Mark P, 2014/08/06 21:35:50]

This seems like an odd use of the term "broad".

Perhaps a better phrasing would be that "the scope of the wildcard certificate
is too narrow for the hostname."

+    scope of a wildcard certificate.

[Mark P, 2014/08/06 21:35:50]

What happens in a situation like:
wildcard certificate *.www.google.com
hostname: google.com

This feels like bucket 2 and bucket 5.

[radhikabhar, 2014/08/06 22:17:37]

This case will actually never be recorded.

+  </int>

[Mark P, 2014/08/06 21:35:50]

What happened to 6?

[radhikabhar, 2014/08/06 22:17:37]

Done. Removed Self-Signed because that is not implemented in this CL. Forgor to
change the number.

+  <int value="7"
+      label="HOST_NAME_NOT_KNOWN_TLD: The host name is not a known TLD">
+    This cause is recorded only for CERT_COMMON_NAME_INVALID errors.

[Mark P, 2014/08/06 21:35:50]

What happens with
DNS = www.asdf
URL = asdf

Is this bucket 2 or bucket 7?

[radhikabhar, 2014/08/06 22:17:36]

This is bucket 7 (now bucket 6) only because if the host name is not a known TLD
then none of the above buckets are recorded. Added this fact to the description.

+  </int>
 </enum>
 
 <enum name="SSLResponseTypesV2" type="int">