RE: Logotypes in certificates

["Bob Jueneman" <bjueneman@novell.com>]

I've been behind on my e-mail or I would have jumped 
into this discussion much earlier, for I think that Stefan 
is dead on, and it isn't just about branding.

I proposed including logos in certificates about three or 
four years ago or longer, due to one overwhelming problem
when it comes to human acceptance of certificates,
and that is the issue of multiple language support and
non-ASCII characters.

I don't know about anyone else, but my Russian is extremely
rusty, and I can barely read the alphabet. I don't speak or
read Greek, but I can at least read the alphabet.

Now, if someone sends me a certificate with a name in 
Japanese, Chinese, Hebrew, Arabic, Sanscrit, Thai,
or Klingon -- arbitrary Unicode characters, if you
will --  what I am supposed to do with it? I can't even read 
the characters well enough to do a visual comparison
for equality.

And it gets worse when you consider the issue of "right to
use" names, particularly in some of the Asian countries where 
the CAs are closely tied to the government -- they will 
insist on the native language of that country being
used.

Yes, you could put either an English translation or
transliteration in an alternate subject name, but those 
names probably aren't in any sense official, and 
there are therefore significant right to use issues.
When you translate from the Cyrillic, should the name
be "Krasny Izvestia" , or "Red Star"?  Likewise
there are the "Peking" vs. "Beijing" issues, etc.
To us these issues seem be relatively unimportant, but
wars have been fought  over such linguistic matters.

My options would therefore seem to be:

1. Accept everything that comes from VeriSign, etc.,
whether I can read the entity's name or not.

2. Reject everything that comes from VeriSign, etc.,
whether I can read the entity's name or not, and
especially if I can't -- make everyone speak English! :-)

3. Participate only in closed user groups where
the decisions as to whether I should accept a
certificate are taken out of my hands and are
enforced by my MIS organization or higher-ups.

None of these are acceptable, in my opinion.

But if I put a logo in the certificate, in all likelihood
that logo is a trademark that is vigorously defended
and may be recognized worldwide.

Yes, the CAs will have to worry about trademark right 
to use issues, but in fact those issues are well understood
from a legal perspective, and certainly under better 
control than the slippery issue of right-to-use for DNS names.

I don't have an opinion yet as to issues of precisely how
such information should be encoded, and/or whether
name subordination ought to apply, but I think there is
a strong justification for the ability to include a logo
in a certificate.

Off the top of my head, I believe it ought to be possible to
associate a logo with both Subject and Issuer, and
I absolutely agree with Russ -- a policy OID or constraint
would be an absolutely terrible place to put it, except perhaps
as a seal of approval or qualification mark for a closed 
user group or association.

Bob

Robert R. Jueneman
Security Architect

Novell, Inc -- the leading provider of Net services software