[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Discuss comments on draft-ietf-pkix-logotypes
- To: iesg@ietf.org
- Subject: Discuss comments on draft-ietf-pkix-logotypes
- From: Margaret Wasserman <mrw@windriver.com>
- Date: Wed, 17 Sep 2003 23:49:52 -0400
I have entered the attached DISCUSS comments on
draft-ietf-pkix-logotypes.
Margaret
Although I don't object, in principle, to the idea of associating logos
or sounds with certificates, I am having trouble understanding the value
of doing so. Also, I found much of the text in this document to be
either confusing or disturbing.
The discussion of human psychology and branding in the introduction
seems misplaced in a protocol specification.
Also, there is a strange tension in this document between:
1) The purpose of including logo information in a certificate
is that users will decide how much to trust a given certificate
based on its "brand".
2) There is no way to authenticate that the logo information
associated with a certificate is valid in any way.
The security considerations section says:
"It is thus imperative that the representation of any
certificate that fails to validate is not enhanced in any way by
using the logotype graphic unless an appropriate warning is given to
the end user."
But, other sections of the document have already acknowledged the
fact that the user will pay more attention to whether or not he
trusts the apparent "brand" of the certificate than to an obscure
warning message...