IETF Logo Mail Archive

Re: Logotypes in certificates

Dean Povey <povey@dstc.qut.edu.au> Thu, 22 March 2001 22:17 UTC

Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with SMTP id RAA23351 for <pkix-archive@odin.ietf.org>; Thu, 22 Mar 2001 17:17:42 -0500 (EST)
Received: from localhost (daemon@localhost) by above.proper.com (8.9.3/8.9.3) with SMTP id OAA28866; Thu, 22 Mar 2001 14:17:12 -0800 (PST)
Received: by mail.imc.org (bulk_mailer v1.12); Thu, 22 Mar 2001 14:17:10 -0800
Received: from thunder.dstc.qut.edu.au (thunder.dstc.qut.edu.au [131.181.71.1]) by above.proper.com (8.9.3/8.9.3) with ESMTP id OAA28835 for <ietf-pkix@imc.org>; Thu, 22 Mar 2001 14:17:07 -0800 (PST)
Received: from dstc.qut.edu.au (garnet.dstc.qut.edu.au [131.181.71.36]) by thunder.dstc.qut.edu.au (8.10.1/8.10.1) with ESMTP id f2MMH5m09077; Fri, 23 Mar 2001 08:17:06 +1000 (EST)
Message-Id: <200103222217.f2MMH5m09077@thunder.dstc.qut.edu.au>
X-Mailer: exmh version 2.2 06/23/2000 with nmh-1.0.4
To: Trevor Freeman <trevorf@Exchange.Microsoft.com>
Cc: ietf-pkix@imc.org
Subject: Re: Logotypes in certificates
In-reply-to: Your message of "Thu, 22 Mar 2001 11:58:58 PST." <CC2E64D4B3BAB646A87B5A3AE97090420D0F46DA@speak.dogfood>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Date: Fri, 23 Mar 2001 08:17:05 +1000
From: Dean Povey <povey@dstc.qut.edu.au>
Precedence: bulk
List-Archive: http://www.imc.org/ietf-pkix/mail-archive/
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: mailto:ietf-pkix-request@imc.org?body=unsubscribe

>Logically speaking, this is a name in that we are talking about a token
>which represents an organization. Its just a graphical token, not a
>textual token. However I full agree with Steve that like other name
>forms, we have to validate the CAs write to assert that logo. I for one
>don't see a way to make this work with graphics, and unless it lives by
>the same rules as text rules, it is open to abuse and therefore is a
>very bad idea.

This is really a very defeatist attitude.  Just because you can't enforce
technically the ability to make a logo fall within a certain `space'
doesn't mean you can't control it technically.  What constraints could the
a higher level CA possibly want to enforce on a logo later in the path
other than the right to either include one or not?  Name Constraints
already exists to restrict the range of possible spaces the DN/names would fall
into (i.e. who you can issue certs to) and the subordinate CA has to follow
the certificate policy or the whole thing falls down anyway.  

This is a really esoteric problem, and there is a simple solution - punt 
it to policy and revoke the subordinate CAs cert if they break the rules.  
Honestly you have far more to worry about if the subordinate CA is not 
following your identification/authentication rules than if they are 
including a pointer to a logo in their cert.  You can no more enforce 
these with fields in the Certificate than you can enforce constraints on 
graphical types.

The big benefit of logos is surely that it makes Joe User more involved/
aware of the security process that is occurring.  Give the propensity of 
users to ignore pop up text messages (or turn them off), this has to be a 
good thing.


-- 
Dean Povey,         | e-m: povey@dstc.edu.au | JCSI:  Java Crypto Toolkit 
Research Scientist  | ph:  +61 7 3864 5120   | uPKI:  C PKI toolkit for embedded
Security Unit, DSTC | fax: +61 7 3864 1282   |        systems
Brisbane, Australia | www: security.dstc.com | Oscar: C++ PKI toolkit

v2.23.0 | Report a Bug | By Email