Re: Logotypes in certificates
Eric Murray <ericm@lne.com> Mon, 19 March 2001 00:09 UTC
Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with SMTP id TAA12590 for <pkix-archive@odin.ietf.org>; Sun, 18 Mar 2001 19:09:03 -0500 (EST)
Received: from localhost (daemon@localhost) by above.proper.com (8.9.3/8.9.3) with SMTP id QAA16014; Sun, 18 Mar 2001 16:08:18 -0800 (PST)
Received: by mail.imc.org (bulk_mailer v1.12); Sun, 18 Mar 2001 16:08:13 -0800
Received: from slack.lne.com ([209.157.136.81]) by above.proper.com (8.9.3/8.9.3) with ESMTP id QAA15964 for <ietf-pkix@imc.org>; Sun, 18 Mar 2001 16:08:07 -0800 (PST)
Received: (from ericm@localhost) by slack.lne.com (8.11.0/8.11.0) id f2J07is00664; Sun, 18 Mar 2001 16:07:44 -0800
Date: Sun, 18 Mar 2001 16:07:44 -0800
From: Eric Murray <ericm@lne.com>
To: Trevor Freeman <trevorf@Exchange.Microsoft.com>
Cc: ietf-pkix@imc.org
Subject: Re: Logotypes in certificates
Message-ID: <20010318160744.B3021@slack.lne.com>
References: <CC2E64D4B3BAB646A87B5A3AE97090420D0F46A3@speak.dogfood>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
User-Agent: Mutt/1.2.2i
In-Reply-To: <CC2E64D4B3BAB646A87B5A3AE97090420D0F46A3@speak.dogfood>; from trevorf@Exchange.Microsoft.com on Sun, Mar 18, 2001 at 10:42:12AM -0800
Precedence: bulk
List-Archive: http://www.imc.org/ietf-pkix/mail-archive/
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: mailto:ietf-pkix-request@imc.org?body=unsubscribe
On Sun, Mar 18, 2001 at 10:42:12AM -0800, Trevor Freeman wrote: > Hi Stefan, > The fundamental gap here is that most users don't know what a > certificate is, and are happy that they just get a simple icon if > everything is ok or not rather than some UI detailing the content of the > credential. Most users never look as the certificate UI. Agreed. I don't think that the logo extension would add that much data to the cert. There's already a whole load of junk people can put in certs, what's another 1-200 bytes? I am however concerned with how certs with the logo extension would be issued. Evil Trent is setting up a site to spoof the Bank of Alice web site. Since Trent knows that the BofA customers all use the logo extension to verify that they're really connected to Alice, he spoofs the logo. Trent creates a logo which is very similar to the BofA logo, but with one pixel in the corner different. When Trent goes to Verisign, do they check the logo before they sign the cert? How much do they check it- that it's hash is different from all the other logos in their database? If that's the case, Trent's visually-identical logo is "different" and Trent gets his cert. Trent puts up his spoof site, redirects traffic to it, and cleans out a number of accounts. Eventually Alice will find out that Trent is using a logo that's too similar to Alice's. There's already laws for this sort of thing, so Alice can eventually prevail in the courts and get Trent to stop using the confusing logo. Before that happens, Trent moves to some small country with weak extradition laws. With DNs this is simple(er)- Verisign just won't sign a cert request from Trent that says it's from Alice. Of course "says it's from Alice" is interpreted different by different CAs and to be 100% correct you have to know each CA's naming convention. But generally it's not possible to get a Subject DN that's close enough to an existing issued cert to spoof it. How would this be handled with logos? There's a body of law for similarity of logos and trademarks, would that be followed? Or would someone at Verisign (or pick any CA) just look at the logos and reject any that're "too similar". There's probably also an international law problem here- what if I get a cert issued with my logo, which is trademarked in the US, and there's another very similar logo trademarked in the UK for an entirely unrelated company? Normally I and the other company would not be competing in each other's territories, but now with the net, we are, and our logos clash. Who figures this out? This problem sounds very similar to the domain name situation, which as we all know, is a bit of a mess. I think that these issues (and probably more in the same vein) should be thought through before going ahead with this.
- RE: Logotypes in certificates David Cross
- RE: Logotypes in certificates Michael Zolotarev
- Re: Logotypes in certificates Anders Rundgren
- RE: Logotypes in certificates David Cross
- RE: Logotypes in certificates Stefan Santesson
- RE: Logotypes in certificates Stefan Santesson
- Re: Logotypes in certificates Rich Salz
- RE: Logotypes in certificates Trevor Freeman
- RE: Logotypes in certificates Trevor Freeman
- RE: Logotypes in certificates Ambarish Malpani
- RE: Logotypes in certificates Trevor Freeman
- RE: Logotypes in certificates Michael Zolotarev
- Re: Logotypes in certificates Eric Murray
- RE: Logotypes in certificates Stefan Santesson
- RE: Logotypes in certificates Michael Myers
- Re: Logotypes in certificates Stefan Santesson
- RE: Logotypes in certificates Stephen Kent
- RE: Logotypes in certificates Andrew Hoag
- Re: Logotypes in certificates Dean Povey
- Re: Logotypes in certificates Dean Povey
- RE: Logotypes in certificates Tim Moses
- RE: Logotypes in certificates todd.glassey
- RE: Logotypes in certificates Stefan Santesson
- RE: Logotypes in certificates Stephen Kent
- RE: Logotypes in certificates Stefan Santesson
- Re: Logotypes in certificates Dean Povey
- Re: Logotypes in certificates Stephen Kent
- RE: Logotypes in certificates Ambarish Malpani
- RE: Logotypes in certificates Tom Gindin
- RE: Logotypes in certificates Michael Zolotarev
- Re: Logotypes in certificates Terry Hayes
- RE: Logotypes in certificates Peter Gutmann
- RE: Logotypes in certificates Hal Lockhart
- RE: Logotypes in certificates Stephen Kent
- RE: Logotypes in certificates Stephen Kent
- RE: Logotypes in certificates Stephen Kent
- RE: Logotypes in certificates David Cross
- RE: Logotypes in certificates Stefan Santesson
- RE: Logotypes in certificates Michael Zolotarev
- RE: Logotypes in certificates todd.glassey
- RE: Logotypes in certificates Trevor Freeman
- RE: Logotypes in certificates Russ Housley
- Re: Logotypes in certificates Dean Povey
- RE: Logotypes in certificates Michael Zolotarev
- RE: Logotypes in certificates Manger, James H
- RE: Logotypes in certificates Stephen Kent
- Re: Logotypes in certificates David P. Kemp
- Re: Logotypes in certificates Michael Ströder
- Re: Logotypes in certificates Dean Povey
- Re: Logotypes in certificates Michael Ströder
- Re: Logotypes in certificates Dean Povey
- Re: Logotypes in certificates Michael Ströder
- Re: Logotypes in certificates Stefan Santesson
- RE: Logotypes in certificates Bob Jueneman
- RE: Logotypes in certificates Stefan Santesson
- RE: Logotypes in certificates todd.glassey
- RE: Logotypes in certificates Stephen Kent
- Re: Logotypes in certificates Anders Rundgren
- RE: Logotypes in certificates Stefan Santesson