[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: charter revisions

To: Stephen Kent <kent@xxxxxxx>
Subject: Re: charter revisions
From: Stephen Farrell <stephen.farrell@xxxxxxxxxxxx>
Date: Thu, 30 Aug 2001 10:35:06 +0100
Cc: Steve Hanna <steve.hanna@xxxxxxx>, ietf-pkix@xxxxxxx
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Organization: Baltimore Technologies Ltd.
References: <> <>
Reply-to: stephen.farrell@xxxxxxxxxxxx
Sender: owner-ietf-pkix@xxxxxxxxxxxx


Steve (K),

I'd have to agree with Steve H, though maybe not as strongly. 

My suggestion would be to limit the additional items to the
dpd/dpv.

In addition the replacement charter text doesn't mention the
fact that PKIX has profiled the X.509 AC which I guess I can't
let pass:-)

Stephen.


Steve Hanna wrote:
> 
> I haven't seen any comments on the revised charter yet. Most of it looks
> good to me. However, I don't think PKIX should do any work on the
> logotype extension. I know that there is a demand for this from
> marketing folks, but I don't believe that we should standardize it
> unless it can be used securely. This does not seem possible.
> 
> First, CAs will find it very hard to verify whether a particular
> logotype should be included in a particular certificate. They'll just
> need to certify whatever the client gives them and disclaim all
> responsibility for its accuracy. With textual names, at least they can
> make some attempt to verify that the name corresponds to the requesting
> client (by requiring a response from an email address before it's
> certified, for instance).
> 
> Second, there's no equivalent to name constraints for use in cross
> certificates. If I cross certify someone, I just have to trust that they
> (and anyone they certify) will only put proper logotypes into
> certificates.
> 
> Third, an apparently innocuous logotype can change appearance radically
> when scaled to a smaller size or mapped to a different number of colors.
> This can be exploited to deceive cell phone users into thinking that
> they're communicating with their bank, for instance.
> 
> Unless these concerns can be addressed, I do not think that this
> proposal is safe and secure. And I do not think that the IETF should
> publish an RFC on a fundamentally insecure idea, especially from a
> security working group.
> 
> -Steve

-- 
____________________________________________________________
Stephen Farrell         				   
Baltimore Technologies,   tel: (direct line) +353 1 881 6716
39 Parkgate Street,                     fax: +353 1 881 7000
Dublin 8.                mailto:stephen.farrell@xxxxxxxxxxxx
Ireland                             http://www.baltimore.com

Follow-Ups:
- RE: charter revisions
  - From: Michael Myers
- Re: charter revisions
  - From: Stephen Kent

References:
- charter revisions
  - From: Stephen Kent
- Re: charter revisions
  - From: Steve Hanna

Prev by Date: RFC 3161 on Time-Stamp Protocol (TSP)
Next by Date: Re: charter revisions
Previous by thread: Re: charter revisions
Next by thread: Re: charter revisions
Index(es):
- Date
- Thread