Re: [Bimi] Where do the signed certificates come from?
Thede Loder <thede@skyelogicworks.com> Mon, 11 February 2019 15:22 UTC
Return-Path: <thede@skyelogicworks.com>
X-Original-To: bimi@ietfa.amsl.com
Delivered-To: bimi@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 93762130ECE for <bimi@ietfa.amsl.com>; Mon, 11 Feb 2019 07:22:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=skyelogicworks.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GbAxzPgAyzs2 for <bimi@ietfa.amsl.com>; Mon, 11 Feb 2019 07:22:08 -0800 (PST)
Received: from mail-yw1-xc2c.google.com (mail-yw1-xc2c.google.com [IPv6:2607:f8b0:4864:20::c2c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 83039126F72 for <bimi@ietf.org>; Mon, 11 Feb 2019 07:22:08 -0800 (PST)
Received: by mail-yw1-xc2c.google.com with SMTP id u205so4333984ywe.1 for <bimi@ietf.org>; Mon, 11 Feb 2019 07:22:08 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=skyelogicworks.com; s=google; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=64ovkspke0Wu7/Dk1mCPlJ5JnWnrkCmqbw4e8/glZSI=; b=dYvVk4a0gPSpE05BRexhkYlwO5JjaZQnVcw/gEkNtywp2nfs6At3VPbWAOPX/9f/DF FSFGuHhls6qNmNaGtiR8XJjtGNJrYRb9S02TOFDrDA4IsHkZHPkKYQU4YhwLBA8aCOjv v6FdGVfjEccgd5ACshtjjEeN/XZ0/h0/d+SMA=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=64ovkspke0Wu7/Dk1mCPlJ5JnWnrkCmqbw4e8/glZSI=; b=OLagiL1pktc558bA401bLzpMw78XREEN8mI1TEC6ljCnfdxbBxbQb0w1WbytRDh1Dd 6miZSS1juFaFayg80A6dTuDwa31JpieMjUuGAD8oJrRpvUj5qhJOz7/M909ZIRITiC2f MTx1lTh1BzUYgOPQHMvEuD01GIAcWWe2JRNUmwxevQbmDfoSem2liGmolcvvscZ4FYjQ m+BAmLCZCEXrFkWLhFSk/ugyzhIgq3dp7ajBmIaPV57abDCLFu8J6SRvlwJtG4sTtPrW ZobnO2HJwPHZhw3j2KyghungkNw90EQg2yzDjUhDOCeGZqT/1lL3B6B1cLpvXRNYUyKi UVIA==
X-Gm-Message-State: AHQUAuaIO+GgvaY+K+MxIu/SovwYR11KSj8roXTAqex0z6bx621bjwbB yIuftEMTbBb3zSPIB5nlYdFSOSFWF6E=
X-Google-Smtp-Source: AHgI3IYcEyL+8YKSgYaDlUQsomomF8skcoZjM1qN3GMybVg6yLKQsq6cRHtjsYcR9CpVAKCEhaBvog==
X-Received: by 2002:a0d:df52:: with SMTP id i79mr22166354ywe.448.1549898527177; Mon, 11 Feb 2019 07:22:07 -0800 (PST)
Received: from [10.0.58.169] ([98.101.39.22]) by smtp.gmail.com with ESMTPSA id h189sm3910714ywd.24.2019.02.11.07.22.05 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 11 Feb 2019 07:22:06 -0800 (PST)
From: Thede Loder <thede@skyelogicworks.com>
Message-Id: <63B39236-831C-4FF2-BAC1-5FF024A54381@skyelogicworks.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_242F2F8B-9AB6-43A9-897A-C1FDA241BE27"
Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\))
Date: Mon, 11 Feb 2019 10:22:04 -0500
In-Reply-To: <CAAFsWK2_wz94TudmZ+uiYd2rL9bs8GqR3WjLH0Uma1PDTc6Muw@mail.gmail.com>
Cc: John R Levine <johnl@taugh.com>, bimi@ietf.org
To: Wei Chuang <weihaw=40google.com@dmarc.ietf.org>
References: <alpine.OSX.2.21.1902102338460.11704@ary.qy> <CAAFsWK2_wz94TudmZ+uiYd2rL9bs8GqR3WjLH0Uma1PDTc6Muw@mail.gmail.com>
X-Mailer: Apple Mail (2.3445.102.3)
Archived-At: <https://mailarchive.ietf.org/arch/msg/bimi/_A4NE375y-g8DWDUo4zRGJZkVgo>
Subject: Re: [Bimi] Where do the signed certificates come from?
X-BeenThere: bimi@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Brand Indicators for Message Identification <bimi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/bimi>, <mailto:bimi-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/bimi/>
List-Post: <mailto:bimi@ietf.org>
List-Help: <mailto:bimi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/bimi>, <mailto:bimi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Feb 2019 15:22:12 -0000
Here are a few more tidbits on Verified Mark Certificates and their relationship to BIMI. Some on the list will not have been close to their development over the last year. Highlights: * Verified Mark Certificates are designed to be compatible with BIMI's publishing and discovery mechanisms and anticipated uses with email, OATH, and social media. However, VM Certs are not tied to BIMI in any way, nor does BIMI itself require domain registrants to obtain them * issued VM Certs must be published in well-known Certificate Transparency (CT) logs in order to be considered valid. The CT entry must include all material contents of the cert, allowing review. * VM Certs are issued by intermediates which are dedicated to the issuance of VM Certs, and distinct from TLS intermediates. * we anticipate that some 'Consuming Entities' (parties offering services which partially or heavily rely upon VM Certificates) will operate their own VM Certificate "root programs". These are analogous to TLS "root programs" * VM Certs require f2f verification, subject to a sunset provision * While a VM Cert can contain a signed public key of the certificate Applicant, the certificate is not for server identification as with EV, and has a different EKU. The important components of the cert are instead a list of FQDNs, the legal entity identifying information, the embedded logo, and the trademark registration and jurisdiction information which substantiate the Applicant's rights rights to the logo * the initial draft defined a set of acceptable vetting methods. We would like over time to define other acceptable vetting methods suitable for situations beyond the one where the Applicant holds the registration of the mark directly * latest draft for reference (as Seth referenced previously) is here: https://docs.google.com/document/d/10IzxkdrveDazBAvTvOUa9uCIDBwMkdmluwHEcbja42w Thede -- Thede Loder Managing Director, Skye Logicworks LLC E: thede@skyelogicworks.com M: 415-420-8615 > On Feb 11, 2019, at 01:19, Wei Chuang <weihaw=40google.com@dmarc.ietf.org> wrote: > > > > On Sun, Feb 10, 2019 at 8:39 PM John R Levine <johnl@taugh.com <mailto:johnl@taugh.com>> wrote: > BIMI appears to assume that senders will have TLS certificates > > BIMI (sometimes documented as Verified Mark) certificates should be considered a different PKI than TLS certificates. The certificates have a distinguishing Extended Key Usage for this. > > that include > RFC6170 certificate images, signed by a CA that attests that the image is a > logo that belongs to the same entity as the domain name in the certificate. > > Is this supposed to be a DV, EV, or some other kind of certificate? > > The proposed validation as documented in the guidelines (see Seth Blank's Feb 6th post) builds upon web EV but of course includes a logo (and optionally name) validation that goes beyond what is done for web EV. > > Are there > any CAs that will do the logo attestation? > > We (Authindicators WG) have been working with Entrust-Datacard on the Guidelines, and they are willing to do this logo attestation. We also are talking with other CAs, and believe that at least one other is willing. > > Logos, like all trademarks, have geographic scope, and it's not rare for a > trademark and logo to belong to one company in, say, the US and a different one > in Europe. How will that work? > > There is a trademark registration country/region level jurisdiction field. Currently the guideline specification only allows for a single jurisdiction.. One open question is whether to specify multiple jurisdiction in a single cert and another is how to do this. (There are some compounding issues in this space that make this potentially challenging) That's something I hope the IETF can help with. > > -Wei > > I don't think there's any way for a cert to > say it's only valid in some countries. > > Regards, > John Levine, johnl@iecc..com <mailto:johnl@iecc.com>, Primary Perpetrator of "The Internet for Dummies", > Please consider the environment before reading this e-mail. https://jl.ly <https://jl.ly/> > > -- > bimi mailing list > bimi@ietf.org <mailto:bimi@ietf.org> > https://www.ietf.org/mailman/listinfo/bimi <https://www.ietf.org/mailman/listinfo/bimi> > -- > bimi mailing list > bimi@ietf.org > https://www.ietf.org/mailman/listinfo/bimi
- [Bimi] Where do the signed certificates come from? John R Levine
- Re: [Bimi] Where do the signed certificates come … Wei Chuang
- Re: [Bimi] Where do the signed certificates come … Wei Chuang
- Re: [Bimi] Where do the signed certificates come … Thede Loder
- [Bimi] Forest vs. Trees Dave Crocker
- Re: [Bimi] Where do the signed certificates come … Tim Hollebeek
- Re: [Bimi] Where do the signed certificates come … Richard Clayton
- Re: [Bimi] Where do the signed certificates come … Richard Clayton
- Re: [Bimi] Where do the signed certificates come … Thede Loder
- Re: [Bimi] Forest vs. Trees Seth Blank
- Re: [Bimi] Forest vs. Trees Dave Crocker
- Re: [Bimi] Where do the signed certificates come … Thede Loder
- Re: [Bimi] Where do the signed certificates come … Dave Crocker
- Re: [Bimi] Where do the signed certificates come … Richard Clayton
- Re: [Bimi] Forest vs. Trees Thede Loder
- Re: [Bimi] Forest vs. Trees Dave Crocker
- Re: [Bimi] Where do the signed certificates come … Thede Loder
- Re: [Bimi] Where do the signed certificates come … Dave Crocker
- Re: [Bimi] Where do the signed certificates come … Richard Clayton
- Re: [Bimi] Where do the signed certificates come … Thede Loder
- Re: [Bimi] Where do the signed certificates come … Thede Loder
- Re: [Bimi] Where do the signed certificates come … John R Levine
- Re: [Bimi] Where do the signed certificates come … Dave Crocker
- Re: [Bimi] Where do the signed certificates come … Thede Loder