IETF Logo Mail Archive

RE: Logotypes in certificates

Ambarish Malpani <ambarish@valicert.com> Wed, 21 March 2001 17:15 UTC

Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with SMTP id MAA01128 for <pkix-archive@odin.ietf.org>; Wed, 21 Mar 2001 12:15:12 -0500 (EST)
Received: from localhost (daemon@localhost) by above.proper.com (8.9.3/8.9.3) with SMTP id JAA15635; Wed, 21 Mar 2001 09:14:21 -0800 (PST)
Received: by mail.imc.org (bulk_mailer v1.12); Wed, 21 Mar 2001 09:14:15 -0800
Received: from ext-mail.valicert.com (ns1.valicert.com [63.65.221.10]) by above.proper.com (8.9.3/8.9.3) with ESMTP id JAA15604 for <ietf-pkix@imc.org>; Wed, 21 Mar 2001 09:14:14 -0800 (PST)
Received: from CONVERSION-DAEMON by ext-mail.valicert.com (PMDF V5.2-33 #46613) id <0GAK0080155WRY@ext-mail.valicert.com> for ietf-pkix@imc.org; Wed, 21 Mar 2001 09:13:08 -0800 (PST)
Received: from polaris.valicert.com ([192.168.2.34]) by ext-mail.valicert.com (PMDF V5.2-33 #46613) with ESMTP id <0GAK006OX55WQ3@ext-mail.valicert.com>; Wed, 21 Mar 2001 09:13:08 -0800 (PST)
Received: by exchange.valicert.com with Internet Mail Service (5.5.2650.21) id <HKLW09NM>; Wed, 21 Mar 2001 09:06:35 -0800
Content-return: allowed
Date: Wed, 21 Mar 2001 09:06:35 -0800
From: Ambarish Malpani <ambarish@valicert.com>
Subject: RE: Logotypes in certificates
To: 'Stephen Kent' <kent@bbn.com>, Dean Povey <povey@dstc.qut.edu.au>
Cc: ietf-pkix@imc.org
Message-id: <613B3C619C9AD4118C4E00B0D03E7C3E014C8B3E@exchange.valicert.com>
MIME-version: 1.0
X-Mailer: Internet Mail Service (5.5.2650.21)
Content-type: text/plain; charset="iso-8859-1"
Precedence: bulk
List-Archive: http://www.imc.org/ietf-pkix/mail-archive/
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: mailto:ietf-pkix-request@imc.org?body=unsubscribe

Steve,
    This is the same argument as a CA issuing a cert to a
subordinate, who issues incorrect certificates with it - e.g.
issues a certificate for the domain www.amazon.com to say BN.

Either a CA controls/audits subordinate CAs, or has enough
reason to trust them, or the value of that hierarchy is
pretty useless.

I don't think logos in certificates affect this either way.

Regards,
Ambarish

---------------------------------------------------------------------
Ambarish Malpani
Architect                                                650.567.5457
ValiCert, Inc.                                  ambarish@valicert.com
339 N. Bernardo Ave.                          http://www.valicert.com
Mountain View, CA 94043


> -----Original Message-----
> From: Stephen Kent [mailto:kent@bbn.com]
> Sent: Tuesday, March 20, 2001 8:57 PM
> To: Dean Povey
> Cc: ietf-pkix@imc.org
> Subject: Re: Logotypes in certificates
> 
> 
> Dean and Stefan,
> 
> As a security kinda' guy, I always approach this from the "what will 
> the bad giy do" perspective.  From that perspective, I worry that a 
> TTP CA will cerfity company X, putting the company X logo in the 
> cert. Then company X will issue a cert to a subordinate CA, and put 
> in that cert an inappropriate logo. It is not realistic for an app to 
> display a chain of logos, and expect a user to pay attention, any 
> more that if one displayed a chain of DNs.  I still maintain that we 
> can agree on what would be a reasonable set of circumstances in which 
> the logo extension would be useful and safe, but I don't see a 
> technical means of enforcing these circumstances without changes to 
> the path validation algorithm. I am open to suggestions that provide 
> the necessary controls and don't have this unfortunate side effect, 
> but I have yet to see an example of such.
> 
> Steve
>

v2.23.0 | Report a Bug | By Email