- From: Hallam-Baker, Phillip <pbaker@verisign.com>
- Date: Sat, 28 Apr 2007 05:24:10 -0700
- To: <public-wsc-wg@w3.org>
- Message-ID: <198A730C2044DE4A96749D13E167AD370124CEC5@MOU1WNEXMB04.vcorp.ad.vrsn.com>
I took an action item to write this up before next meeting but it does not seem to have made it to the tracker. Secure Internet letterhead is the display of an authenticated subject brand within secure chrome. People recognize companies by their brand in atom space, the same cue should be employed ubiquitously in the Internet, securing Web, Email, instant message and other transactions. The prefered technical implementation is to bind the brand logo (or audio) information to an Extended Validation SSL certificate using the PKIX LOGOTYPE extension. Such a certificate must meet the minimum issuance standards set by CABForum for issue of EV certificates and additional minimum standards. The principal security concern is to make it uneconomic for a criminal to profit by obtaining an Extended Validation certificate. The primary defense against default is to ensure issuer and subject accountability. Subject accountability is ensured through the existing EV issue standards. Issuer accountability by means of displaying the issuer brand logo. Issuers in the trust business can be expected to ensure that their security controls are effective in order to protect their brand. It is anticipated that the CABForum (or other industry forum) shall determine additional issue criteria for letterhead certificates. In particular requirements for authenticating a subject logo by means of trademark registration data and/or an opinion letter. In addition criteria for publication of revocation information may be enhanced, requiring support for OCSP for example. The specification of issue practices, minimum criteria for revocation etc. are considered to be outside the scope of the WSC working group.
Received on Saturday, 28 April 2007 12:24:50 UTC