RE: Logotypes in certificates
Stephen Kent <kent@bbn.com> Mon, 19 March 2001 23:10 UTC
Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with SMTP id SAA25103 for <pkix-archive@odin.ietf.org>; Mon, 19 Mar 2001 18:10:58 -0500 (EST)
Received: from localhost by above.proper.com (8.9.3/8.9.3) with SMTP id PAA16255; Mon, 19 Mar 2001 15:10:21 -0800 (PST)
Received: by mail.imc.org (bulk_mailer v1.12); Mon, 19 Mar 2001 15:10:16 -0800
Received: from po1.bbn.com (PO1.BBN.COM [192.1.50.38]) by above.proper.com (8.9.3/8.9.3) with ESMTP id PAA16221 for <ietf-pkix@imc.org>; Mon, 19 Mar 2001 15:10:15 -0800 (PST)
Received: from [128.33.238.92] (TC092.BBN.COM [128.33.238.92]) by po1.bbn.com (8.9.1/8.9.1) with ESMTP id SAA04001; Mon, 19 Mar 2001 18:07:14 -0500 (EST)
Mime-Version: 1.0
X-Sender: kent@po1.bbn.com (Unverified)
Message-Id: <p05010401b6dbe5d9d90c@[128.33.238.70]>
In-Reply-To: <5.0.0.25.2.20010319054502.00b637b8@mail.accurata.se>
References: <5.0.0.25.2.20010319054502.00b637b8@mail.accurata.se>
Date: Mon, 19 Mar 2001 11:46:46 -0500
To: Stefan Santesson <stefan@accurata.se>
From: Stephen Kent <kent@bbn.com>
Subject: RE: Logotypes in certificates
Cc: ietf-pkix@imc.org
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Precedence: bulk
List-Archive: http://www.imc.org/ietf-pkix/mail-archive/
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: mailto:ietf-pkix-request@imc.org?body=unsubscribe
Stefan, I have mixed feelings about this proposal. We have, in the NameConstraints extension, a powerful mechanism for making cross certification a safe thing to do. If one were to include a logotype extension in a cert that was issued by a CA who had been cross certified using name constraints, it holds the potential for seriously undermining the controls imposed by NameConstraints. There is an issue here that merits discussion: the logotype is presumably useful only when people are being asked to accept/reject certs, in addition to or in lieu of the many software-based controls that v3 certs offer. If the use is in lieu of use of more extensive software-based controls, there may not be a conflict, since the context is probably that of a TTP CA where NameConstraints and similar controls are of minimal use. However, if the syntactic controls are also in use, a logotype extension may be of limited value and might easily degrade security. So, I would be opposed to PKIX approving this sort of extension (even as a separate RFC from 2459bis) without imposing significant constraints on the contexts in which it is to be used, including limitations on its use in conjunction with other extensions, e.g., NameConstraints. What worries me even more, is that we might have to extend/modify the validation procedure to enforce such inter-extension constraints, which would then affect 2459bis! Steve
- RE: Logotypes in certificates David Cross
- RE: Logotypes in certificates Michael Zolotarev
- Re: Logotypes in certificates Anders Rundgren
- RE: Logotypes in certificates David Cross
- RE: Logotypes in certificates Stefan Santesson
- RE: Logotypes in certificates Stefan Santesson
- Re: Logotypes in certificates Rich Salz
- RE: Logotypes in certificates Trevor Freeman
- RE: Logotypes in certificates Trevor Freeman
- RE: Logotypes in certificates Ambarish Malpani
- RE: Logotypes in certificates Trevor Freeman
- RE: Logotypes in certificates Michael Zolotarev
- Re: Logotypes in certificates Eric Murray
- RE: Logotypes in certificates Stefan Santesson
- RE: Logotypes in certificates Michael Myers
- Re: Logotypes in certificates Stefan Santesson
- RE: Logotypes in certificates Stephen Kent
- RE: Logotypes in certificates Andrew Hoag
- Re: Logotypes in certificates Dean Povey
- Re: Logotypes in certificates Dean Povey
- RE: Logotypes in certificates Tim Moses
- RE: Logotypes in certificates todd.glassey
- RE: Logotypes in certificates Stefan Santesson
- RE: Logotypes in certificates Stephen Kent
- RE: Logotypes in certificates Stefan Santesson
- Re: Logotypes in certificates Dean Povey
- Re: Logotypes in certificates Stephen Kent
- RE: Logotypes in certificates Ambarish Malpani
- RE: Logotypes in certificates Tom Gindin
- RE: Logotypes in certificates Michael Zolotarev
- Re: Logotypes in certificates Terry Hayes
- RE: Logotypes in certificates Peter Gutmann
- RE: Logotypes in certificates Hal Lockhart
- RE: Logotypes in certificates Stephen Kent
- RE: Logotypes in certificates Stephen Kent
- RE: Logotypes in certificates Stephen Kent
- RE: Logotypes in certificates David Cross
- RE: Logotypes in certificates Stefan Santesson
- RE: Logotypes in certificates Michael Zolotarev
- RE: Logotypes in certificates todd.glassey
- RE: Logotypes in certificates Trevor Freeman
- RE: Logotypes in certificates Russ Housley
- Re: Logotypes in certificates Dean Povey
- RE: Logotypes in certificates Michael Zolotarev
- RE: Logotypes in certificates Manger, James H
- RE: Logotypes in certificates Stephen Kent
- Re: Logotypes in certificates David P. Kemp
- Re: Logotypes in certificates Michael Ströder
- Re: Logotypes in certificates Dean Povey
- Re: Logotypes in certificates Michael Ströder
- Re: Logotypes in certificates Dean Povey
- Re: Logotypes in certificates Michael Ströder
- Re: Logotypes in certificates Stefan Santesson
- RE: Logotypes in certificates Bob Jueneman
- RE: Logotypes in certificates Stefan Santesson
- RE: Logotypes in certificates todd.glassey
- RE: Logotypes in certificates Stephen Kent
- Re: Logotypes in certificates Anders Rundgren
- RE: Logotypes in certificates Stefan Santesson