I still fail to see the problem, if you have a cross certified cert chain you should show the entire chain as logos. So the user would see the following [VeriSign PCA3] -> [SureTrust] -> [British Stuff PLC] -> [Alice] Or [JIS RoT] -X-> [BAL RoT] -X-> [Bob] In other words there is no need for constraints because the user is going to see the trust chain explicitly. I don't see any problem in stating that logotypes on end user certs should only be displayed if the root of trust says to use 'em. I think it is pretty clear that the app software vendors would want to load the new roots of trust with the images in them. I would not want to have to re-issue several thousand intermediate CAs to support logotypes however. So the OID for the root cert would have to allow for the following cases: 1) Show logotypes of any cert in the chain that has one. 2) Only show logotypes if every cert bellow this one in the chain has a 'show logotypes' OID. Phill Phillip Hallam-Baker FBCS C.Eng. Principal Scientist VeriSign Inc. pbaker@xxxxxxxxxxxx 781 245 6996 x227
Attachment:
Phillip Hallam-Baker (E-mail).vcf
Description: Binary data