[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Discuss comments on draft-ietf-pkix-logotypes

To: Margaret Wasserman <mrw@windriver.com>
Subject: Re: Discuss comments on draft-ietf-pkix-logotypes
From: "Steven M. Bellovin" <smb@research.att.com>
Date: Thu, 18 Sep 2003 08:37:23 -0400
Cc: Russ Housley <housley@vigilsec.com>, iesg@ietf.org
In-reply-to: Your message of "Thu, 18 Sep 2003 00:07:14 EDT." <5.1.0.14.2.20030918000512.03e434c0@mail.windriver.com>

In message <5.1.0.14.2.20030918000512.03e434c0@mail.windriver.com>, Margaret Wa
sserman writes:
>
>I would feel more comfortable with this specification if the
>security consideration sections said that the client MUST
>NOT display any logo information, unless the certificate has
>been validated with the CA.
>
>In that case, I agree that the CA should be trusted to
>associate the right logo information (for some definition)
>with the certificate.
>
>But, displaying logos for unvalidated certificates along
>with a warning message only seems like a good way to distract
>users from taking the warning seriously.
>

Margaret, that's Certificate Processing 101 -- the whole purpose of a 
certificate is to get third party verification of the information.  
Now, there's debate in the security community about whether or not this 
is a good idea in the first place -- Matt Blaze has been quoted as 
saying that third party certificate authorities will protect you from 
anyone from whom they won't take money -- but there's no debate 
whatsoever on the need to verify the signature before using the 
information.

Now -- what to do if the verification fails in some fashion is an 
interesting question in human factors.  Often, the correct response is 
to display *all* useful information from the certificate to help the 
human decide what to do, since many verification failures result from 
benign causes.  For example, for three straight years Microsoft let its 
primary code-signing certificate expire in a certain sense, and 
Microsoft's software properly objected to using it.  But the software 
let me satisfy myself that it was a bureaucratic failure, not a 
security one, so I went ahead and used it.  (I also got to tease my 
friends at Microsoft Security, but that's another matter...)  Should 
the software have displayed the logo to me during that process?

If you want an additional warning, I'm not going to object.  But it 
should be worded something like this:

	As with all other fields in a certificate, logo information 
	MUST NOT be used until the validity of the certificate has been
	successfully checked.

		--Steve Bellovin, http://www.research.att.com/~smb

Follow-Ups:
- Re: Discuss comments on draft-ietf-pkix-logotypes
  - From: Russ Housley <housley@vigilsec.com>
- Re: Discuss comments on draft-ietf-pkix-logotypes
  - From: Margaret Wasserman <mrw@windriver.com>

References:
- Re: Discuss comments on draft-ietf-pkix-logotypes
  - From: Margaret Wasserman <mrw@windriver.com>

Prev by Date: Re: IESG voting (or not?)
Next by Date: Re: Discuss comments on draft-ietf-pkix-logotypes
Previous by thread: Re: Discuss comments on draft-ietf-pkix-logotypes
Next by thread: Re: Discuss comments on draft-ietf-pkix-logotypes
Index(es):
- Date
- Thread