- From: Thomas Roessler <tlr@w3.org>
- Date: Fri, 20 Jun 2008 11:31:35 +0200
- To: "Hallam-Baker, Phillip" <pbaker@verisign.com>
- Cc: public-wsc-wg@w3.org
On 2008-06-19 19:34:45 -0700, Phillip Hallam-Baker wrote: > Certificate Logotype Data > Where the security of a Web interaction depends on the reliable > interpretation of the subject identity, the usability of the > identifier chosen to represent that identity is of great > importance. A DNS name is an identifier created for the purpose > of specifying network hosts and is optimized for that purpose, in > particular ease of entry is given priority over ease of > interpretation. Likewise, the X.500 Distinguished Names employed > in X.509 digital certificates are a technical construct designed > to support the needs of the network directory. > > The form of identifier that corporations in particular have > adopted for representing their identity is the logo. A logo is an > image that is designed to communicate the identity of the party > that uses it. Many corporations and other enterprises invest > enormous amounts of time, effort and money to develop and promote > logos that are instantly recognizable. > > The PKIX Logotype extension allows the use of image or audio data > to represent the certificate subject, the certificate issuer and > assertions that the subject is a member of certain specified > communities. The image or audio data is securely incorporated > into the certificate by a URL reference and a cryptographically > secure message digest of the data. > > Presentation of Logotype information from a PKIX certificate may > allow more effective representation of the subject and/or issuer > identity and membership of community groups, provided that: > > * The logo information is presented in a manner that the user is > likely to take notice of in the necessary circumstances > * The logo information is presented through a secure channel that > cannot be spoofed or emulated by an attacker. > > In addition any technique that makes a subject identity assertion > more usable to the user is likely to increase the users > confidence in that identity and thus their reliance. I'm fine with the text (and with including it), except for this: > Subject logotype data MUST NOT be presented to the user without > caveat unless it is contained in an Augmented Assurance > certificate. While I agree with the spirit of this statement, I don't like the idea of adding conformance language after a resolution to go to last call; I also think this is redundant with the material here: http://www.w3.org/2006/WSC/drafts/rec/rewrite.html#sec-logotypes Regards, -- Thomas Roessler, W3C <tlr@w3.org>
Received on Friday, 20 June 2008 09:32:15 UTC