RE: Logotypes in certificates

[Stefan Santesson <stefan@addtrust.com>]

Todd,

I may have misunderstood you but the proposal to include logotype 
information is definitely about certificate content.

The proposal suggests a method to contain relevant information about 
logotypes in certificates in a way that allows a client to get, validate 
and display the logo to an end user.

How the client does that is not the major issue, just to provide the 
possibility.

/Stefan

At 15:20 2001-03-20 +0000, todd.glassey@att.net wrote:

>--
>Regards,
>Todd
> > Colleagues - I am supportive of the idea of including branding information
> > in certificates.  I recognize Steve's concern.  But, I suggest that there
> > should be no impact on processing rules ... other than ... in applications
> > where the relying party is a human, the logo from the very first 
> certificate
> > in the path should be displayed to him/her.  When a relying party accepts a
> > trust anchor, their experience should be identical regardless of the 
> details
> > of the remainder of the path.  Best regards.  Tim.
>
>
>This this is an instance wherein you are talking about
>is the end-use model for the cert and not the cert
>content. It is important to differentiate the two
>since use of a cert is more an applications level effort.
>
>The concept in "displaying" squat to anyone takes the
>issue out of the "content" and into the "use of" realms
>which seems to be more "application oriented" than ANYTHING,
>and as such not something that PKIX should be
>concerning itself with unless it is going to change again
>and start to publish certified use models for its wares.
>
>In which case the structure and accountability of PKIX for
>what it is producing must also change significantly more
>towards the ISO standards I think.
>
>
> >
> >
> > -----Original Message-----
> > From: Stephen Kent [mailto:kent@bbn.com]
> > Sent: Monday, March 19, 2001 11:47 AM
> > To: Stefan Santesson
> > Cc: ietf-pkix@imc.org
> > Subject: RE: Logotypes in certificates
> >
> >
> > Stefan,
> >
> > I have mixed feelings about this proposal. We have, in the
> > NameConstraints extension, a powerful mechanism for making cross
> > certification a safe thing to do. If one were to include a logotype
> > extension in a cert that was issued by a CA who had been cross
> > certified using name constraints, it holds the potential for
> > seriously undermining the controls imposed by NameConstraints.
> >
> > There is an issue here that merits discussion: the logotype is
> > presumably useful only when people are being asked to accept/reject
> > certs, in addition to or in lieu of the many software-based controls
> > that v3 certs offer. If the use is in lieu of use of more extensive
> > software-based controls, there may not be a conflict, since the
> > context is probably that of a TTP CA where NameConstraints and
> > similar controls are of minimal use. However, if the syntactic
> > controls are also in use, a logotype extension may be of limited
> > value and might easily degrade security.
> >
> > So, I would be opposed to PKIX approving this sort of extension (even
> > as a separate RFC from 2459bis) without imposing significant
> > constraints on the contexts in which it is to be used, including
> > limitations on its use in conjunction with other extensions, e.g.,
> > NameConstraints. What worries me even more, is that we might have to
> > extend/modify the validation procedure to enforce such
> > inter-extension constraints, which would then affect 2459bis!
> >
> > Steve