Re: Extra Security Considerations for Logotypes (was Re: draft-ietf-pkix-logotypes-06.txt)

[Dean Povey <povey@xxxxxxxxxxxxx>]

<snip>
>
>On the security issue I raised, can we at least add something like the
>following text to the Security Considerations.

It occurred to me after I sent this, that the section on "Client use" may 
be a more appropriate place to put the text.

>"Applications that make use of certificate logotypes MUST ensure that 
>their presentation cannot be masqueraded by the display of other dynamic 
>mutlimedia content.  For example, it should not be possible for an image 
>or audio content on a web page to be confused with a logotype for a 
>certificate.  For image logotypes this MAY be done by reserving part of 
>the user interface for the display of logotype images, and ensuring that 
>no dynamic content can display an image at that location.  For audio 
>logotypes (particularly in applications for the visually impaired, where 
>all content is rendered solely in an audio form), there MUST be a 
>mechanism for the user to distinguish the logotype audio, such as by 
>requiring an action by the user before the audio is played."
-- 
Dean Povey,             |em: povey@xxxxxxxxxxxxx|JCSI: Java security toolkit
Wedgetail Communications|ph:  +61 7 3023 5139   |uPKI: Embedded/C PKI toolkit
Level 14, 388 Queen St, |fax: +61 7 3023 5199   |uSSL: Embedded/C SSL toolkit
Brisbane, Australia     |www: www.wedgetail.com |XML Security: XML Signatures