> Bob Jueneman wrote: > > I wasn't suggesting that logos should be restricted to end-entities, > > I was only pointing out that such a restriction would immediately > > make the issue of name subordination and misuse of the logo by some > > intermediate CA go away. > > This isn't true. Name constraints allow me to cross certify > IBM's CA but > indicate that the only DNs it is trusted to certify are those > that begin > with "c=us, o=IBM". Even if logos are restricted to end-entities, > there's nothing stopping IBM's CA from placing a Sun logo in an > end-entity certificate. So restricting logos to end-entities doesn't > "make the issue of name subordination and misuse of the logo by some > intermediate CA go away." I don't see this as a problem for several reasons: 1) Logotypes have utility even if they cannot be used with cross-certification. 2) The security of the infrastructure depends on the DNS system and not the X.500 name system. The fact that the name is constrained as you state does not in practice affect Internet applications. It might affect OSI applications if any existed. 3) The objection is simply a restatement of the proposition that 'bad things happen if you cross certify with someone who is not trustworthy'. This is not news. > Apparently, you haven't read the draft that serves as the > basis for this > discussion, draft-ietf-pkix-logotypes-00.txt. The suggested > format is a > message digest and a URL. The basis for this discussion is the proposed charter ammendments. Phill
Attachment:
Phillip Hallam-Baker (E-mail).vcf
Description: Binary data