- From: Serge Egelman <egelman@cs.cmu.edu>
- Date: Mon, 04 Jun 2007 19:23:00 -0400
- To: "Hallam-Baker, Phillip" <pbaker@verisign.com>
- CC: public-wsc-wg@w3.org
Maybe I'm missing something, but from this description, it seems that the only difference between having an EV cert and using secure letterhead is that the logo of the issuer is displayed in the browser? Is this a correct interpretation? Would it be possible to see a mock-up of this? serge Hallam-Baker, Phillip wrote: > I added the Secure Letterhead proposal to the Wiki: > > http://www.w3.org/2006/WSC/wiki/RecommendationDisplayProposals/Letterhead > > One 'cleanup action' that needs to happen here is to propose to the IETF > a mechanism for including text descriptions of community logos into the > LOGOTYPE spec. > > > > Title > > * > > Secure Internet Letterhead > > > Goals > > Secure Internet Letterhead addresses the following goals: > > * > > User awareness of security information > > * > > Reliable presentation of security information > > * > > Reduce the number of scenarios in which users need to make trust > decisions > > * > > Best practices for other media > > > Overview > > Secure Internet Letterhead consists of the use of a PKIX Logotype > extension within an EV certificate to display the brand of the > certificate issuer, subject and/or communit(ies) within a framework that > establishes accountability and hence trustworthiness. > > > Dependencies > > Secure Internet Letterhead depends upon the SSL server certificate chain > information and in particular the presence of a certificate issuer > specific certificate policy extension OID for EV and a PKIX LOGOTYPE > extension. > > > Use-cases > > Secure Internet Letterhead addresses essentially the same use cases as > for EV. The difference is that Secure Internet Letterhead provides a > more direct connection to the frrame of reference in which the typical > user evaluates trust decisions (i.e. brands as opposed to names). > > As such the presentation of the Secure Internet Letterhead information > requires certificate issuers to raise their game and make the utmost > effort to ensure the reliability and trustworthiness of the information > they present. > > > Expected User behavior > > The expected user behavior is similar to that of EV except that: > > * A first time user who decides that they require additional assurance > MAY look at the secondary chrome dialogue to determine which community > logos are presented. For example Alice may want to know if her bank is > FDIC insured on her first visit but is unlikely to require this on > subsequent visits. > > * A frequent visitor to the site MAY be expected to look for the > letterhead as the primary indication that the intended site is being > visited. > > * The letterhead concept is intended to be ubiquitous and apply to every > mode of Internet communication. > > > Disruption > > As with EV, Secure Internet Letterhead does not mandate a user > experience. It is however entirely possible to porovide a non-intrusive > user experience. > > > Accessibility > > The information provided by Secure Internet Letterhead is in addition to > the information already provided in an X.509v3 certificate and not a > substitute. Browsers designed for use by blind and partially sighted > users should consider employing the existing X.509v3 subject and issuer > information instead. Certificate issuers should provide an accessible > means of entering community accreditation information. > > Although the PKIX Logotype specification describes the presentation of > audio instead of images the use of this information is problematic due > to the lack of a consistent and comprehensive use of audible brands. > > > References > > * > > [RecommendationDisplayProposals > <http://www.w3.org/2006/WSC/wiki/RecommendationDisplayProposals>/EVCerts > Extended Validation Certificates] > > * > > [tbs RFC ???? PKIX LOGOTYPE Extension] > -- /* Serge Egelman PhD Candidate Vice President for External Affairs, Graduate Student Assembly Carnegie Mellon University Legislative Concerns Chair National Association of Graduate-Professional Students */
Received on Monday, 4 June 2007 23:23:16 UTC