Re: Secure Internet Letterhead

I think it wasn't in tracker because Thomas hadn't posted the minutes or 
condensed list of action items yet. 

ACTION-206 for tracker. 

          Mez

Mary Ellen Zurko, STSM, IBM Lotus CTO Office       (t/l 333-6389)
Lotus/WPLC Security Strategy and Patent Innovation Architect




"Hallam-Baker, Phillip" <pbaker@verisign.com> 
Sent by: public-wsc-wg-request@w3.org
04/28/2007 08:24 AM

To
<public-wsc-wg@w3.org>
cc

Subject
Secure Internet Letterhead






I took an action item to write this up before next meeting but it does not 
seem to have made it to the tracker.
 
 
Secure Internet letterhead is the display of an authenticated subject 
brand within secure chrome. 
 
People recognize companies by their brand in atom space, the same cue 
should be  employed ubiquitously in the Internet, securing Web, Email, 
instant message and other transactions.
 
The prefered technical implementation is to bind the brand logo (or audio) 
information to an Extended Validation SSL certificate using the PKIX 
LOGOTYPE extension. Such a certificate must meet the minimum issuance 
standards set by CABForum for issue of EV certificates and additional 
minimum standards.
 
The principal security concern is to make it uneconomic for a criminal to 
profit by obtaining an Extended Validation certificate.
 
The primary defense against default is to ensure issuer and subject 
accountability. Subject accountability is ensured through the existing EV 
issue standards. Issuer accountability by means of displaying the issuer 
brand logo. Issuers in the trust business can be expected to ensure that 
their security controls are effective in order to protect their brand.
 
It is anticipated that the CABForum (or other industry forum) shall 
determine additional issue criteria for letterhead certificates. In 
particular requirements for authenticating a subject logo by means of 
trademark registration data and/or an opinion letter. In addition criteria 
for publication of revocation information may be enhanced, requiring 
support for OCSP for example.
 
The specification of issue practices, minimum criteria for revocation etc. 
are considered to be outside the scope of the WSC working group.
 
 
 

Received on Monday, 30 April 2007 13:33:08 UTC