Bob, > I wasn't suggesting that logos should be restricted to > end-entities, I was only pointing out that such a restriction > would immediately make the issue of name subordination and > misuse of the logo by some intermediate CA go away. I didn't understand the problem. If you have bad intermediate CAs you have rather more problems than just bad logos! > I can see some significant marketing value in supporting an > AUTHENTICATED use of a logo in an end-entity certificate, for > example to convey a professional license or association > membership in the case of an individual, and accredited > membership in a trade or merchant association, such as a Visa brand. Which is my interest. The fact that a logo must be authenticated is not a problem if the market will bear the cost. I believe that customers would be very pleased to pay an additional fee for an enhanced certificate. > I also like your suggestion of a URL and a message digest, > rather than attempting to transport the entire logo itself > within the certificate. Both the retrieval and display of the > logo could then be optional, and the logo could be cached > within the browsers, etc. Although you didn't raise the point > regarding the use by visually handicapped users, I was > particularly impressed by the original reference to Scalable > Vector Graphics, and to the potential use of alternate forms > of identification, ranging from a audible logo (spoken, a > commercial jingle, or whatever) to a braille pattern. I don't see that disabilities issue is relevant. We are talking about an additional feature, not the sole feature. Browsers for disabled users already have to deal with the security issue. Logos would not make that problem any harder. It is already possible to put the DN into Braille. The spoken logo is more interesting because voice based applications are increasing. The problem of distinguishing authenticated voice from unauthenticated is considerably worse however. > Of course it would be nice to have a solid indication of > interest from the client software vendors to address the "if > we build it will they come" question, but the absence of such > a commitment certainly hasn't stopped us in the past, and it > seems quite unlikely that we could ever obtain such a > commitment when we are still debating the charter, and > haven't begun to work on an RFC yet. Absolutely, I just thought I would add in my one legitimate concern. The concerns raised seemed to be mainly legal quibbles from non-lawyers. I asked our lawyers and got a pretty enthusiastic response to the idea in principle but as with the policy document they believe lawyers should be involved in the drafting of the document. The idea of a legal considerations section was well received. > I don't mean to ignore or reject the valid concerns that have > been expressed, but I do believe that sufficient technical > progress has been made even in this limited dialogue to > conclude that this is a valid work item, and one that has a > least a reasonable chance of success. I agree. Phill
Attachment:
Phillip Hallam-Baker (E-mail).vcf
Description: Binary data