[lamps] Warren Kumari's Discuss on draft-ietf-lamps-rfc3709bis-08: (with DISCUSS)

[Warren Kumari via Datatracker <noreply@ietf.org>]

Warren Kumari has entered the following ballot position for
draft-ietf-lamps-rfc3709bis-08: Discuss

When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)


Please refer to https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/ 
for more information about how to handle DISCUSS and COMMENT positions.


The document, along with other ballot positions, can be found here:
https://datatracker.ietf.org/doc/draft-ietf-lamps-rfc3709bis/



----------------------------------------------------------------------
DISCUSS:
----------------------------------------------------------------------

Don't Panic! As noted in
https://www.ietf.org/blog/handling-iesg-ballot-positions/, a DISCUSS ballot is
a request to have a discussion...

I'm assuming that I'm missing something really obvious here, but this *feels*
like a bad idea to me...

The document says: "The use of logotypes will, in many cases, affect the users
decision to trust and use a certificate." Yes, but that seems like a bad
outcome...

Random things on the Internet tell me that Microsoft has a well recognized
logo. Seems plausible, let's use that as an example. When a user is trying to
figure out if a certificate actually belongs to Microsoft they are likely to go
"Oh, yes, it's a square composed of other colored squares, this must really be
Microsoft", even if the CN is for www.evil-attackers-r-us.net. Even without an
attacker intentionally creating visually confusing logos, many are similar -
for example, https://icn.bg/ looks really similar to Microsoft's logo (and many
things look very similar to the Pepsi logo -
https://yourmileagemayvary.net/2021/05/23/look-up-in-the-sky-its-a-coke-plane-its-a-pepsi-plane-its/
).

Here is an image with two logos:
https://cdn.mos.cms.futurecdn.net/hD95PaJgx5ZZVCFduTWhtg-1200-80.jpg.webp One
of these is for airbnb, and one is for a Japanese drive-in. Keeping in mind
that, as a user, the logotype is likely to affect your decision to trust and
use the cert, when entering your credit-card info to book your next vacation
rental, do you know which of these you should expect? If you get the drive-in
one, would you really recognize that?

The document uses VISA and MasterCard as examples, but, without looking in your
wallet to actually confirm what their logos look like, are you *sure* that you
would be able to unambiguously identify them if placed next to logos made by an
attacker?

Ok, so now that I've had my soapbox rant: This document updates RFC 3709 and
RFC 6170, which been around since 2004 and 2011 respectively. Apparently the
sky hasn't actually fallen yet, and so I must be missing something. I did spend
quite a while trying to find examples using RFC3709/RFC6170, so I could figure
out what I'm missing, but failed. I *did* find a few CA certs with this, but
they just had links to http://logo.verisign.com/vslogo.gif (which doesn't
resolve). The only "live" cert was for https://www.dtihost.cz/, but it's not
valid.

Again, I'm probably missing something obvious, and so clue-bat appreciated...