[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: charter revisions

To: Bob Jueneman <bjueneman@xxxxxxxxxx>
Subject: Re: charter revisions
From: Steve Hanna <steve.hanna@xxxxxxx>
Date: Wed, 05 Sep 2001 14:12:02 -0400
Cc: pbaker@xxxxxxxxxxxx, ietf-pkix@xxxxxxx
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
Organization: Sun Microsystems, Inc.
References: <>
Sender: owner-ietf-pkix@xxxxxxxxxxxx

Bob Jueneman wrote:
> I wasn't suggesting that logos should be restricted to end-entities,
> I was only pointing out that such a restriction would immediately
> make the issue of name subordination and misuse of the logo by some
> intermediate CA go away.

This isn't true. Name constraints allow me to cross certify IBM's CA but
indicate that the only DNs it is trusted to certify are those that begin
with "c=us, o=IBM". Even if logos are restricted to end-entities,
there's nothing stopping IBM's CA from placing a Sun logo in an
end-entity certificate. So restricting logos to end-entities doesn't
"make the issue of name subordination and misuse of the logo by some
intermediate CA go away."

> (BTW, someone informed me that null crypto, e.g., plaintext, is a
> valid option in SSL, and worse yet, that if that option were
> selected because it was all that was available, the padlock icon
> would still appear and the https requirement for SSL security would
> be satisfied.  Can anyone confirm that?)

I don't know about Internet Explorer, but Netscape Communicator 4.75 has
a checkbox under Security Preferences (accessed by clicking the
Navigator tab on the left and the Configure SSLv3 button) that allows
the user to enable "No encryption with an MD5 MAC". This checkbox is NOT
checked by default. I expect that this means that support for
Communicator will REJECT SSL connections with authentication but no
encryption, unless the user explicitly configures it otherwise. This
seems like reasonable behavior.

Phillip Hallam-Baker wrote:
> Another issue is size. I don't much want to see the size of
> certificates increase yet further. Perhaps a hash of the image
> and a URL would be preferable. Perhaps something a bit more.

Bob Jueneman wrote:
> I also like your suggestion of a URL and a message digest, rather
> than attempting to transport the entire logo itself within the
> certificate.

Apparently, you haven't read the draft that serves as the basis for this
discussion, draft-ietf-pkix-logotypes-00.txt. The suggested format is a
message digest and a URL.

-Steve

References:
- RE: charter revisions
  - From: Bob Jueneman

Prev by Date: Re: Removing expired certificates from CRLs.....
Next by Date: RE: charter revisions
Previous by thread: RE: charter revisions
Next by thread: RE: charter revisions
Index(es):
- Date
- Thread