Re: cert image I-D

[Stefan Santesson <stefan@xxxxxxxxxxx>]

Phil,

What you suggest is really interesting.

It is however substantially different to have the validation infrastructure
provide presentation images instead of the issuer (CA), but I can also the
the benefits as it would allow retroactive deployment for existing
certificates.

I would not make this a change of approach however, but list it as possible
complementary work that we should discuss as a possible follow up.

/Stefan


On 09-05-16 4:45 AM, "Phillip Hallam-Baker" <hallam@xxxxxxxxx> wrote:

> 
> I think this is usefull work to look at.
> 
> One change of approach I would suggest is to allow any extensions to
> be expressed in either a cert itself or an OCSP response. That allows
> for considerably greater flexibility in deployment as we discovered
> was necessary during deployment of EV certs.
> 
> Think about the problem of enabling EV on every single web site of a
> large bank at the same time, and the cost of customer service calls if
> you do it piecemeal.
> 
> On Wed, May 13, 2009 at 1:56 PM, Stephen Kent <kent@xxxxxxx> wrote:
>> 
>> Folks,
>> 
>> I have reviewed the discussion on the list re Stefan's cert image proposal.
>> While there were comments for and against, the positive comments, especially
>> from folks who are in a position to make use of this feature, were
>> persuasive.
>> 
>> We will proceed with this a a new PKIX WG work item.  This is not a
>> guarantee that the WG will approve a document, but rather that we will
>> explore approaches to achieving the goals described by Stefan and try to
>> come to consensus on a specific technical approach. We can decide later
>> whether this is standards track, experimental or even informational.
>> 
>> Steve
>> 
>> 
> 
>