W3C home > Mailing lists > Public > public-usable-authentication@w3.org > April 2006

Re: Secure Metadata

From: Tyler Close <tyler.close@gmail.com>
Date: Wed, 12 Apr 2006 11:47:59 -0700
Message-ID: <5691356f0604121147u53a41317wb3e119fa0d423c40@mail.gmail.com>
To: public-usable-authentication@w3.org

On 4/12/06, Michael.Mccormick@wellsfargo.com
<Michael.Mccormick@wellsfargo.com> wrote:
> RFC 3709 (http://www.ietf.org/rfc/rfc3709.txt) defines an X.509
> extension that allows optional logographic images for community, issuer,
> and subject organizations.
> Say for example GM obtained web server SSL certificates from VeriSign
> for use within their supplier community.  The cert could display logos
> for GM, VeriSign, and the auto parts exchange (or any subset /
> combination thereof).

The above scenario involves the repeated use of existing
relationships, in particular, the relationship between a supplier and
GM. To protect against phishing in this scenario, it is important that
the supplier's employees be able to readily recognize when they are
using this longstanding relationship versus when they have encountered
a stranger. For this scenario, we don't really need more bits in the
certificate, we just need to do an equivalence test on the presented

If you step back and think about it, putting an image in the
certificate is just putting more bits in the certificate for the user
to compare to a known value. Users shouldn't be comparing bits, that's
what computers are for. The computer should compare the bits and tell
its user whether or not they match any of the user's known sites.

The Petname Tool moves the comparison burden from the user to the browser.


The web-calculus is the union of REST and capability-based security:

Name your trusted sites to distinguish them from phishing sites.
Received on Wednesday, 12 April 2006 18:48:17 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 19:53:15 UTC