- From: Tyler Close <tyler.close@gmail.com>
- Date: Wed, 12 Apr 2006 11:47:59 -0700
- To: public-usable-authentication@w3.org
On 4/12/06, Michael.Mccormick@wellsfargo.com <Michael.Mccormick@wellsfargo.com> wrote: > > RFC 3709 (http://www.ietf.org/rfc/rfc3709.txt) defines an X.509 > extension that allows optional logographic images for community, issuer, > and subject organizations. > > Say for example GM obtained web server SSL certificates from VeriSign > for use within their supplier community. The cert could display logos > for GM, VeriSign, and the auto parts exchange (or any subset / > combination thereof). The above scenario involves the repeated use of existing relationships, in particular, the relationship between a supplier and GM. To protect against phishing in this scenario, it is important that the supplier's employees be able to readily recognize when they are using this longstanding relationship versus when they have encountered a stranger. For this scenario, we don't really need more bits in the certificate, we just need to do an equivalence test on the presented certificate. If you step back and think about it, putting an image in the certificate is just putting more bits in the certificate for the user to compare to a known value. Users shouldn't be comparing bits, that's what computers are for. The computer should compare the bits and tell its user whether or not they match any of the user's known sites. The Petname Tool moves the comparison burden from the user to the browser. Tyler -- The web-calculus is the union of REST and capability-based security: http://www.waterken.com/dev/Web/ Name your trusted sites to distinguish them from phishing sites. https://addons.mozilla.org/extensions/moreinfo.php?id=957
Received on Wednesday, 12 April 2006 18:48:17 UTC