RE: Logotypes in certificates

["Trevor Freeman" <trevorf@Exchange.Microsoft.com>]

Hi Stefan,
The fundamental gap here is that most users don't know what a
certificate is, and are happy that they just get a simple icon if
everything is ok or not rather than some UI detailing the content of the
credential. Most users never look as the certificate UI.
Trevor

-----Original Message-----
From: Stefan Santesson [mailto:stefan@accurata.se] 
Sent: Saturday, March 17, 2001 4:14 PM
To: David Cross; ietf-pkix@imc.org
Subject: RE: Logotypes in certificates


David,

Comment in line;

At 18:46 2001-03-16 -0800, David Cross wrote:
>Stefan:
>
>Some comments -
>
>First:  I do not think that this should be considered for son of 
>RFC2459
>- we do not want to hold this up to consider this proposal.

That's OK with me.

>
>Second:  I do not see how applications will make use of this 
>information.  How do you see it being used?

Well first I would like to state that I now of several applications that

would use this information if it was available. This is typically any 
application which includes a function to display a certificates to a
human 
user. These applications will seek to have a display format which makes 
sense to the user. These applications can, if logotype data is present, 
choose to download these logotypes and display them to the user when a 
certificate is displayed.

Applications don't caring about logos won't be effected since they just 
ignore this information without problem. The logo is only a display 
function and has no part in any DN or alternative name.

We will surely implement this in certificates if this gets to be
supported 
by any standard.

/Stefan

>
>Third:  People are complaining about size of certs now, this will 
>expand that issue

Everything is a tradeoff. In this case we can meet an important business

need with just a few bytes. I think this is one of those cases that 
definitely is worth it.

/Stefan

>
>
>David B. Cross
>
>
>         -----Original Message-----
>         From: Stefan Santesson [mailto:stefan@accurata.se]
>         Sent: Thursday, March 15, 2001 3:22 PM
>         To: ietf-pkix@imc.org
>         Subject: Logotypes in certificates
>
>
>         In last PKIX meeting in San Diego I presented some thoughts on

>creating a new extension for inclusion of logotype information in 
>certificates.
>
>         Last in this mail I include a primary suggested outline for 
>such extension.
>
>         But first a short summary of the rationale:
>
>         At a first glance it may seem irrelevant to include logotype 
>information in certificates and a natural first reaction is "OH NO... 
>NOT ANOTHER THING TO INCLUDE!! DON'T WE HAVE ENOUGH?!!!"
>
>         The fact is though that at the ETSI meeting this week (In the 
>group that handles European standards related to electronic 
>signatures). IT WAS GENERALLY RECOGNIZED THAT INCLUSION OF LOGOTYPE 
>DATA WOULD BE VERY USEFUL.
>
>         Why is that so?
>
>         The answer is that logotypes are carriers of trust and are 
>widely recognized tools for trust recognition. Have you ever thought 
>why EVERY physical instrument of trust, from loyalty cards, credit 
>cards to Passports, contain trust symbols in the form of logotypes.
>
>         Are certificates different? ABSOLUTELY NOT!!
>
>         If PKI is to take off in the private market, the certificates 
>must be user friendly and carry the same functionality (in electronic
>form) as ID-cards, passports and other physical ID:s do in physical 
>form. And logotypes are a FUNDAMENTAL part of that.
>
>         Without logotypes, certificates can only be handled and 
>presented as textual information for technically oriented users. This 
>is the reality I see.
>
>         What is your observation?
>
>         How can we then do this?
>
>         Technically speaking, we don't have to include the actual 
>logotype image and we don't have to destroy legacy applications.
>         I would suggest that we use the same mechanism that we 
>specified for biometric data in RFC 3039 where a non-critical extension

>can include for each logotype:
>
>         -  type of logo
>         -  type of hash algorithm
>         -  hash of logotype data
>         -  URI to location of data
>
>         This will only take a few bytes but will allow new 
>applications to import relevant logotypes, signed by the issuer of the 
>certificate, to be displayed to the user.
>
>         So... What to do with this?
>
>         If this is to be proceeded at all, It could be part of son of 
>RFC 2459, it could be part of a new RFC 3039 and it could be a new 
>draft or merged with some other work. I'm open for suggestions.
>
>         I hope to be able to meet with many of you and discuss this in

>Minneapolis next week.
>
>         /Stefan Santesson
>
>
>         logotypeInfo  EXTENSION ::= {
>                   SYNTAX             LogotypeSyntax
>                   IDENTIFIED BY      id-pe-logotypeInfo }
>
>               id-pe-logotypeInfo OBJECT IDENTIFIER  ::= {id-pe XX}
>
>               LogotypeSyntax ::= SEQUENCE OF LogotypeData
>
>               LogotypeData ::= SEQUENCE {
>                   typeOfLogotype       TypeOflogotype,
>                   hashAlgorithm        AlgorithmIdentifier,
>                   logotypeDataHash     OCTET STRING,
>                   sourceDataUri        IA5String OPTIONAL }
>
>               TypeOflogotype ::= CHOICE {
>                   predefinedLogotypeType    PredefinedLogotypeType,
>                   LogotypeTypeID            OBJECT IDENTIFIER }
>
>               PredefinedLogotypeType ::= INTEGER {
>                   subject-organization-logotype(0),
>                   issuer-organization-logotype(1)
>                   CA-network-logotype(2)}
>                   (subject-organization-logotype|
>                    issuer-organization-logotype|
>                     CA-network-logotype,...)
>
>
>         The predefined logotype types are
>
>         subject-organization-logotype, if used, SHALL be used to 
>include a logotype of the subject organization. The logotype SHALL be 
>consistent with, and require the presence of, an organization name 
>stored in the organization attribute in the subject field.
>
>         issuer-organization-logotype, if used, SHALL be used to 
>include a logotype of the issuer organization. The logotype SHALL be 
>consistent with, and require the presence of, an organization name 
>stored in the organization attribute in the issuer field.
>
>         CA-network-logotype, if used, SHALL be used to include a 
>logotype used by a network of CA services, provided by one or several 
>independent CA's, within which the issuer claims to issue this 
>certificate.
>
>