Re: Embedded certificate image

[Tom Gindin <tgindin@xxxxxxxxxx>]

        Stefan:

        While it is unreasonable to dictate what a CA can accept, I think 
that the Security Considerations section should say something like: "the 
information about the certificate subject contained in the image SHOULD 
NOT include any graphic supplied by the applicant".  The "tumor" construct 
which we saw in MD5 collisions could be placed into such a graphic.  Thus 
if a CA were to construct a graphic by inserting a customer-provided 
graphic into a template provided by the CA, it would be subject to the 
same attacks as MD5 certificates have been, but it would not be evident 
from the certificate syntax.

                Tom Gindin




Stefan Santesson <stefan@xxxxxxxxxxx> 
Sent by: owner-ietf-pkix@xxxxxxxxxxxx
07/31/2009 02:19 PM

To
"Timothy J. Miller" <tmiller@xxxxxxxxx>, Santosh Chokhani 
<SChokhani@xxxxxxxxxxxx>
cc
ietf-pkix <ietf-pkix@xxxxxxx>
Subject
Re: Embedded certificate image







Tim,

It is not reasonable for this standard to dictate what a CA accepts as
input.

/Stefan

On 09-07-31 6:57 PM, "Timothy J. Miller" <tmiller@xxxxxxxxx> wrote:

> Santosh Chokhani wrote:
> 
>> RFC says "The relationship between the subject organization and the
>> subject
>>    organization logotype, and the relationship between the issuer and
>>    either the issuer organization logotype or the community logotype,
>>    are relationships asserted by the issuer."
>> 
>> It tends to imply that the logotype is predefined data and not in the
>> certificate request payload.
> 
> I'd feel better if it were explicit that the subject logotype is
> provided by the issuer.
> 
> As it is, I think it can be read either way.  The issuer asserts
> everything in the cert, after all, but it didn't create it all; much was
> provided by the applicant.
> 
> -- Tim