RE: Pull the plug on logotypes? from Hallam-Baker, Phillip on 2008-10-06 (public-wsc-wg@w3.org from October 2008)

From: Hallam-Baker, Phillip <pbaker@verisign.com>
Date: Mon, 6 Oct 2008 11:39:34 -0700
To: "Johnathan Nightingale" <johnath@mozilla.com>, "Serge Egelman" <egelman@cs.cmu.edu>
Cc: "Mary Ellen Zurko" <Mary_Ellen_Zurko@notesdev.ibm.com>, <public-wsc-wg@w3.org>
Message-ID: <2788466ED3E31C418E9ACC5C316615572FFA73@mou1wnexmb09.vcorp.ad.vrsn.com>
Clearly I am not going to discuss what VeriSign might or might not be discussing with a partner so I am not able to respond to Serge's claim except to point out that there is a Microsoft employee name on the RFC.
 
It seems to me that the point of the rec here is not to say 'you should put logotype info in front of the user'. Rather I think the point is the reverse: do not put the logotype info in front of the user unless these specific criteria have been met, in particular it must be an augmented assurance cert.
 
 
We have indeed been discussing this in the CABForum and I have attached the latest version of the discussion document that I presented there.
 
Since then we have added a requirement for the CA to include the trademark registration data in the certificate, I have not drafted the requirement language yet as I only just got off the cal with the lawyers on how to proceed.
 
At the moment we are working on the question of liability and in particular the issue of who is liable in case of a default. Clearly the application providers would want the CA to be liable before they are and the CA would like the applicant to be first in line liability wise. We know how to do this under US law, but we are currently researching concerns regarding US law.
 
 
 

Subject Logotype Data: Subject Logotype data encoded as a certificate extension in accordance with the requirements set out in IETF RFC 3709 

 

 

Insert after section 19:

 

Verification of Subject Logotype Image Suitability

 

a) Verification Requirements

 

If subject logotype data is to be included in a certificate the CA MUST verify that the subject logotype data is suitable for the purpose of unambiguously identifying the certificate subject's brand.

 

The only elements that MAY appear in Subject Logotype Data are:

 

1) Textual representation(s) of the Applicant identity specified in the Certificate Subject

2) Textual representations of registered trademarks or service marks 

3) Graphical representations of registered trademarks or service marks  

 

Graphical or textual forms that do not correspond to one or more of these categories MUST NOT be included.

 

The subject logotype data MUST contain at least one textual representation of the Applicant Identity specified in the Certificate Subject.

 

All subject logotype images included in a certificate ,  MUST be verified.

 

b) Acceptable Methods of Verification

 

The CA MAY establish that Subject Logotype Image data meets the suitability requirements by visual inspection of the image, to determine the Verification of Subject Logotype Image Applicant Identity Element criteria are met in the case of a textual representation of the Applicant Identity or the Verification of Subject Logotype Trademark or Service Mark Element criteria are met otherwise.

 

 

Verification of Subject Logotype Image Applicant Identity Element

 

a) Verification Requirements

 

The CA MUST verify that each Subject Logotype Image Applicant Identity Element provides a clear and legible rendering of all key components of a verified Applicant Identity. 

  

b) Acceptable Methods of Verification

 

The CA MAY determine that a Subject Logotype Image Applicant Identity Element meets the Subject Logotype Image Applicant Identity Element verification criteria by visual inspection.

 

 

Verification of Subject Logotype Trademark or Service Mark Element

 

a) Verification Requirements

 

If  subject logotype data is to be included in a certificate the CA MUST verify that the subject has right of use for the image data represented.

 

b) Acceptable Methods of Verification

 

The CA MUST establish that the applicant has a right of use for a Trademark or Service mark by determining that each of the following requirements is met:

 

1) That a registered trademark exists. 

 

The CA MAY verify the existence of the registration by reference to a QGIS for trademark data.

 

2) That the registered trademark is substantially identical to the Subject Logotype Image Element.

 

The CA MAY verify the substantial similarity of the registered trademark and the Subject Logotype Image element by visual inspection.

 

3) That the applicant has the right to use the registered trademark

 

The CA MAY verify the right to use the registered trademark by:

 

a) Verifying that the applicant is the registered owner of the registered trademark by consulting a QGIS for trademark data.

 

b) Contacting the registered owner of the registered trademark 

 

Contacting the registered owner or owner's agent of the registered trademark by phone or mail at the phone number or address specified in the registration and obtaining written confirmation that the registered owner or agent has reviewed and approves the EV Certificate Request. [We may want something in writing and not just Oral. If the cert applicant is not the owner perhaps we need a legal opinion from the registered owner's lawyer? But we can leave as is for now and see what folk on the forum think]

 

3) Reference to a Verified Legal Opinion

 

Verifying that a Verified Legal Opinion asserts the valid registration of the Trademark and applicant's right of use for the specified trademark..

 

 

[Further issues]

 

One issue that comes up is that we might want to define an OID for encoding the trademark registration number. This would make it much easier to definitively detect malicious activity. The trademark owner likely knows the trademarks that they own and any unauthorized occurrence of those trademarks in a cert can be protested.

 

One thing I think is very important here is to allow Chinese and Japanese companies to be able to use a logotype for the Han character version of their company name

 


________________________________

From: Johnathan Nightingale [mailto:johnath@mozilla.com]
Sent: Fri 10/3/2008 2:41 PM
To: Serge Egelman
Cc: Mary Ellen Zurko; Hallam-Baker, Phillip; public-wsc-wg@w3.org
Subject: Re: Pull the plug on logotypes?


Microsoft are members of the CABForum and are actively discussing the question of including logotypes in the EV guidelines, based on a proposal from Phil.  It's certainly true that the verification implications are steep, but then again there is no global, authoritative register of organization names, either.  The degree to which implementors are comfortable with this, or any other piece of information, will mostly come down to, as you suggest: the confidence one has in the quality of the verification (be it Madrid protocol or other), and the degree to which the attesting CA is willing to assume liability for verification failures. 

Nevertheless, to answer Mez's question - Firefox doesn't implement this presently, and won't do so without a standard of identification that we support.  While those discussions are happening, that puts it well out on our roadmap as well.

Cheers,

Johnathan 

On 3-Oct-08, at 2:27 PM, Serge Egelman wrote:


	I obviously do not speak for Microsoft, but I have been told that it's highly unlikely that IE would be implementing this.  Phill and anyone else involved in CAB Forum should be aware of Microsoft's position: trademark is highly territorial and therefore cannot be enforced globally.  Creating a security indicator that assumes the opposite will not be effective and creates many potential legal problems for implementors.
	 
	serge
	
	
	On Fri, Oct 3, 2008 at 11:14 AM, Mary Ellen Zurko <Mary_Ellen_Zurko@notesdev.ibm.com> wrote:
	


		But the main point is, in our Features at Risk table, no one is implementing logotypes at all, in any form. While are necessary to get them through CR. If no one implements them, they won't make it. They're already a feature at risk. Does anyone think that they (or anyone else) will be implementing them as an add on for our CR phase? 
		
		          Mez
		
		
		
		
		
From: 	"Hallam-Baker, Phillip" <pbaker@verisign.com> 	
To: 	"Mary Ellen Zurko" <Mary_Ellen_Zurko@notesdev.ibm.com>, <public-wsc-wg@w3.org> 	
Date: 	10/01/2008 10:07 AM 	
Subject: 	RE: Pull the plug on logotypes?	

________________________________





		I disagree that the audio interactions are an issue.
		
		The purpose of the logotype is to provide an immediately recognizable subject identity, The standard subject field in the X.509 cert contains sufficient information to provide text-to speech rendering of the subject identity.
		
		There may be secure chrome issues for voice browsers but they do not have any connection to the logotypes issue since you wouldn't use them.
		
		
		
		-----Original Message-----
		From: public-wsc-wg-request@w3.org on behalf of Mary Ellen Zurko
		Sent: Fri 9/26/2008 5:11 PM
		To: public-wsc-wg@w3.org
		Subject: Pull the plug on logotypes?
		
		None of our participating browsers are implementing them:
		http://www.w3.org/2006/WSC/wiki/FeaturesAtRisk <http://www.w3.org/2006/WSC/wiki/FeaturesAtRisk> 
		
		The audio interactions for accessibility are non trivial.
		
		We won't have worked examples to sanity check.
		
		I propose we remove them.
		
		Thoughts?
		
		


		
		








	-- 
	/*
	I am Serge Egelman and I approve this message.
	
	*/
	


---
Johnathan Nightingale
Human Shield
johnath@mozilla.com
Received on Monday, 6 October 2008 18:40:42 UTC