[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: draft-ietf-pkix-logotypes-06.txt


Denis:

Since we are still in Working Group Last Call, here are my 12 comments on
that document.

1. Page 6. Section 3. Logotype data

"Implementations MUST support image data; however, support for audio data is
OPTIONAL." Audio is a good joke, in the same way, as pheromones. We are
supposed to deal with serious documents. Please delete.

I belive that the response from Tom Gindin shows that there is support for audio in support if disabled users. I believe that the document is clear that the support is OPTIONAL.


2. Page 7. Section 4.1 Extension format

"Clients MUST support both direct and indirect addressing."

I disagree. If an end-user certificate is included in a signature, it may be
interesting to display the logotype even if the terminal is off-line.
Indirect addressing would mandate an on-line connection.

Replace with:

"Clients claiming to conform with this document SHALL support direct
addressing. Clients MAY also support indirect addressing."

We have already had a dialogue on this point. I hope it is resolved.


3. Page 7. Section 4.1 Extension format

There is no text which states what the client should do whenever it is
unable to support a given logotype. Insert the following text:

"Whenever a client is unable to support a given logotype, no error SHALL be
reported and the client MUST behave as if there was no logotype included in
the certificate".

I will add a similar sentence to the second paragraph of section 6. The paragraph now says:

   After a certification path is successfully validated, the replying
   party trusts the information that the CA includes in the certificate,
   including any certificate extensions. The client software can choose
   to make use of such information, or the client software can ignore
   it. If client is unable to support a provided logotype, the client
   MUST NOT report an error, rather the client MUST behave as though no
   logotype extension was included in the certificate. Current standards
   do not provide any mechanism for cross-certifying CAs to constrain
   subordinate CAs from including private extensions (see the security
   considerations section).


4. Page 8. Section 4.1.

      LogotypeData ::= SEQUENCE {
         image           SEQUENCE OF LogotypeImage     OPTIONAL,
         audio           [1] SEQUENCE OF LogotypeAudio OPTIONAL }

Since audio support should be suppressed, replace with:

LogotypeData ::= SEQUENCE OF LogotypeImage

This is related to comment 1. No change will be made.


5. Page 7. Section 4.1.

We have:

communityLogo [0] EXPLICIT LogotypeInfo OPTIONAL,

      LogotypeInfo ::= CHOICE {
         direct          [0] LogotypeData,
         indirect        [1] LogotypeReference }

      LogotypeData ::= SEQUENCE {
         image           SEQUENCE OF LogotypeImage OPTIONAL,

No explanations are given on the text about what to do for a client when
there is more than one LogotypeImage present in a communityLogo.

First of all, a communityLogo may contain more than one logo which belongs
to one or more communities. However the client has no way to know whether
the LogotypeData includes different versions from the same logo (e.g. in
black and white or in color) or different logos.

This is not supported. The certificate may only include one image. That image could be a composite of many different logos, if appropriate. We discussed this face-to-face in Yokohama. Discussion with people what develop graphical interfaces do not think it is a good idea to allow this complexity. Too many images will confuse the user. When it is appropriate to include several community logos, they must be combined into one image to ensure that they are consistently displayed. If this is not done, each client will render the images differently...


6. Page 9. Section 4.1.

      LogotypeImageInfo ::= SEQUENCE {
         fileSize        INTEGER,  -- In octets
         xSize           INTEGER,  -- In pixels
         ySize           INTEGER,  -- In pixels
         numColors       INTEGER } -- In bits

Text is missing to explain this structure. How is a grey scale indicated for
jpeg and for gif ???

Do you have a recommendation?


7. Page 9. Section 4.1.

      LogotypeImageInfo ::= SEQUENCE {
         fileSize        INTEGER,  -- In octets
         xSize           INTEGER,  -- In pixels
         ySize           INTEGER,  -- In pixels
         numColors       INTEGER } -- In bits

It is of particular importance to say what means conformance to this
document for a client with respect to the number of pixels to support and
the colors to support.

It is proposed to add a sentence along these lines:

"Clients claiming to conform with this document SHALL support an image with
a minimum size of 48 pixels (xSize) by 32 pixels (ySize) in black and white
with X grey levels."

We have tried to avoid such a statement. Instead we allow the inclusion of the same image at many different resolutions so that the client can select the best fit. This is also the reason that we use MIME types to name the format. It allows the greatest flexibility.


8. Page 9. Section 4.1.

      LogotypeImageInfo ::= SEQUENCE {
         fileSize        INTEGER,  -- In octets
         xSize           INTEGER,  -- In pixels
         ySize           INTEGER,  -- In pixels
         numColors       INTEGER } -- In bits

It would also be appropriate to say what to do when the image is in color
and that the client has no color display available. No display at all ?
Conversion into grey scale using which kind of transposition ?

The client is always allowed to ignore the logotype altogether. The stronger language added in response to your third comment makes this clear.


9. Page 9. Section 4.1. Since audio is a joke, text and ASN.1 about audio
should be deleted.

Again, related to your first comment. No change.


10. Page 9. Section 4.1. The text states:

"Implementations MUST support both the JPEG and GIF image formats (with MIME
types of "image/jpeg" and "image/gif", respectively)"

I would guess that Animated GIF should not be supported. Could we say it ?

Okay. That paragraph now reads:

   A MIME type is used to specify the format of the file containing the
   logotype data. Implementations MUST support both the JPEG and GIF
   image formats (with MIME types of "image/jpeg" and "image/gif",
   respectively). Animated images SHOULD NOT be used. Implementations
   that support audio MUST support the MP3 audio format (with a MIME
   type of "audio/mpeg").


11. Page 10. Section 4.1.

      Community Logotype. If communityLogo is present, the logotype MUST
      represent the community to which the certificate issuer is
      affiliated. The communityLogo MAY be present in an end entity
      certificate, a CA certificate or an attribute certificate.

A certificate issuer may belong to more than one community. Replace: "the
community " by :"the community or the communities".

This is already discussed in response to comment 5. No change.


12. Page 11. Section 5. Type of certificates

Logotypes MAY be present in three types of certificates:

     - CA certificates
     - End-entity certificates
     - Attribute certificates

Why is there such a limitation ? CRL Issuers, OCSP responders or TSUs may
have logotypes present in their certificates.

Replace with : "Logotypes MAY be present in any type of certificate".

David Cross spoke against this suggestion.

Russ