RE: Logotypes in certificates

Stephen Kent <kent@bbn.com> Wed, 21 March 2001 23:16 UTC

Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with SMTP id SAA21630 for <pkix-archive@odin.ietf.org>; Wed, 21 Mar 2001 18:16:22 -0500 (EST)
Received: from localhost by above.proper.com (8.9.3/8.9.3) with SMTP id PAA09281; Wed, 21 Mar 2001 15:15:43 -0800 (PST)
Received: by mail.imc.org (bulk_mailer v1.12); Wed, 21 Mar 2001 15:15:39 -0800
Received: from po1.bbn.com (PO1.BBN.COM [192.1.50.38]) by above.proper.com (8.9.3/8.9.3) with ESMTP id PAA09221 for <ietf-pkix@imc.org>; Wed, 21 Mar 2001 15:15:38 -0800 (PST)
Received: from [128.33.238.72] (TC096.BBN.COM [128.33.238.96]) by po1.bbn.com (8.9.1/8.9.1) with ESMTP id SAA00794; Wed, 21 Mar 2001 18:12:18 -0500 (EST)
Mime-Version: 1.0
X-Sender: kent@po1.bbn.com
Message-Id: <p05010405b6dee2605313@[128.33.238.72]>
In-Reply-To: <613B3C619C9AD4118C4E00B0D03E7C3E014C8B3E@exchange.valicert.com>
References: <613B3C619C9AD4118C4E00B0D03E7C3E014C8B3E@exchange.valicert.com>
Date: Wed, 21 Mar 2001 17:59:50 -0500
To: Ambarish Malpani <ambarish@valicert.com>
From: Stephen Kent <kent@bbn.com>
Subject: RE: Logotypes in certificates
Cc: ietf-pkix@imc.org
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Precedence: bulk
List-Archive: http://www.imc.org/ietf-pkix/mail-archive/
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: mailto:ietf-pkix-request@imc.org?body=unsubscribe

Ambarish,

>Steve,
>     This is the same argument as a CA issuing a cert to a
>subordinate, who issues incorrect certificates with it - e.g.
>issues a certificate for the domain www.amazon.com to say BN.
>
>Either a CA controls/audits subordinate CAs, or has enough
>reason to trust them, or the value of that hierarchy is
>pretty useless.
>
>I don't think logos in certificates affect this either way.

No, the argument is not the same.  We have the nameConstraints 
extension as a technical means of preventing a CA and subordinate CAs 
from issuing certs with names outside of a well defined range. We do 
not have a means to enforce similar controls re logos. That's the 
whole point of my concern.

Steve