[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Evaluation: draft-ietf-pkix-logotypes - Internet X.509 Public Key Infrastructure: Logotypes in X.509 certificates

Ned and I have DISCUSSes on this document, and I'd like to have a few words on the mailing list before the telechat.

--On 12. september 2003 15:42 -0400 IESG Secretary <iesg-secretary@ietf.org> wrote:

Technical Summary

This document provides for a way to embed visual or audible logos within
X.509 certificates.

actually it doesn't; it provides a way to embed *pointers* (URLs) to such logos within X.509 certificates.
Looking at the objections Ned and I have raised, it is a good question whether the definition of these pointers, and the description of how to handle them, is done competently. That's a separate issue from whether it's a good thing to do.

[note - some of my original DISCUSS comments don't hold water on second reading of the document; for instance, HTTP/1.1 is clearly described as mandatory to implement. But the second reading uncovered more problems, such as no MIME type for the URI list fetched by HTTP, no explicit statement that the hash needs to be verified, or what one should do when it fails to verify, and no security considerations mentioning the privacy concerns stemming from the server being able to tell the first time a relying party displays any logotype extension...... update coming....]

nit, probably an ASN.1/PKIX general issue: What is the value of MAX?

Working Group Summary

There was initially some controversy about whether or not these
extensions were reasonable.  Eventually, the working group agreed that
they were a good ida.

Russ, can you say a few words about why the WG thought it was a good idea?
I think there's a fairly coherent explanation in section 1, but I would like to verify whether there were other significant arguments, or significant objections to some of the arguments thus presented.

Harald