IETF Logo Mail Archive

RE: Logotypes in certificates

Stephen Kent <kent@bbn.com> Mon, 19 March 2001 23:10 UTC

Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with SMTP id SAA25103 for <pkix-archive@odin.ietf.org>; Mon, 19 Mar 2001 18:10:58 -0500 (EST)
Received: from localhost by above.proper.com (8.9.3/8.9.3) with SMTP id PAA16255; Mon, 19 Mar 2001 15:10:21 -0800 (PST)
Received: by mail.imc.org (bulk_mailer v1.12); Mon, 19 Mar 2001 15:10:16 -0800
Received: from po1.bbn.com (PO1.BBN.COM [192.1.50.38]) by above.proper.com (8.9.3/8.9.3) with ESMTP id PAA16221 for <ietf-pkix@imc.org>; Mon, 19 Mar 2001 15:10:15 -0800 (PST)
Received: from [128.33.238.92] (TC092.BBN.COM [128.33.238.92]) by po1.bbn.com (8.9.1/8.9.1) with ESMTP id SAA04001; Mon, 19 Mar 2001 18:07:14 -0500 (EST)
Mime-Version: 1.0
X-Sender: kent@po1.bbn.com (Unverified)
Message-Id: <p05010401b6dbe5d9d90c@[128.33.238.70]>
In-Reply-To: <5.0.0.25.2.20010319054502.00b637b8@mail.accurata.se>
References: <5.0.0.25.2.20010319054502.00b637b8@mail.accurata.se>
Date: Mon, 19 Mar 2001 11:46:46 -0500
To: Stefan Santesson <stefan@accurata.se>
From: Stephen Kent <kent@bbn.com>
Subject: RE: Logotypes in certificates
Cc: ietf-pkix@imc.org
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Precedence: bulk
List-Archive: http://www.imc.org/ietf-pkix/mail-archive/
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: mailto:ietf-pkix-request@imc.org?body=unsubscribe

Stefan,

I have mixed feelings about this proposal. We have, in the 
NameConstraints extension, a powerful mechanism for making cross 
certification a safe thing to do. If one were to include a logotype 
extension in a cert that was issued by a CA who had been cross 
certified using name constraints, it holds the potential for 
seriously undermining the controls imposed by NameConstraints.

There is an issue here that merits discussion: the logotype is 
presumably useful only when people are being asked to accept/reject 
certs, in addition to or in lieu of the many software-based controls 
that v3 certs offer. If the use is in lieu of use of more extensive 
software-based controls, there may not be a conflict, since the 
context is probably that of a TTP CA where NameConstraints and 
similar controls are of minimal use. However, if the syntactic 
controls are also in use, a logotype extension may be of limited 
value and might easily degrade security.

So, I would be opposed to PKIX approving this sort of extension (even 
as a separate RFC from 2459bis) without imposing significant 
constraints on the contexts in which it is to be used, including 
limitations on its use in conjunction with other extensions, e.g., 
NameConstraints. What worries me even more, is that we might have to 
extend/modify the validation procedure to enforce such 
inter-extension constraints, which would then affect 2459bis!

Steve

v2.23.0 | Report a Bug | By Email