[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Discuss comments on draft-ietf-pkix-logotypes

To: hardie@qualcomm.com, Margaret Wasserman <mrw@windriver.com>, "Steven M. Bellovin" <smb@research.att.com>
Subject: Re: Discuss comments on draft-ietf-pkix-logotypes
From: Russ Housley <housley@vigilsec.com>
Date: Fri, 19 Sep 2003 15:11:38 -0400
Cc: iesg@ietf.org
In-reply-to: <p06002003bb90e9ffc176@[129.46.227.161]>
References: <5.2.0.9.2.20030918171457.0337fba0@mail.binhost.com> <20030918123723.1F18B7B43@berkshire.research.att.com> <Your message of "Thu, 18 Sep 2003 00:07:14 EDT." <5.1.0.14.2.20030918000512.03e434c0@mail.windriver.com> <5.2.0.9.2.20030918171457.0337fba0@mail.binhost.com>

Ted:

You make a good argument for additional information in RFC 3280. I think that RFC 3280 ought to be updated to provide better information on UTF8. Perhaps we can ask the PKIX working group to develop an updated version of RFC 3280 to handle both topics. More will undoubtedly surface one the document is "open."

The issue is bigger than the logotypes document, and I would not like to see it delayed over this more general issue.

Russ

At 10:23 AM 9/19/2003 -0700, hardie@qualcomm.com wrote:

At 5:19 PM -0400 09/18/2003, Russ Housley wrote:
Margaret:

RFC 3280 is silent on the presentation of information from certificates that fail to validate. This is partly because there are so many different reasons that a certificate might fail to validate, and it is partly because it is not a "bits on the wire" issue.

I am opposed to the words that Steve proposed because certificate information is "used" to generate error messages. Let's face it, most users do not know what a certificate is. Anything that helps them understand that the stuff that they got to enable the use of the Starbucks wireless network is not working any more, probably because the certificate expired, is helpful.

Russ
Russ, I personally believe that there is a difference between the information in the certificates being used to present clear error information and being used to present persuasive material. I think presenting information saying "These folks asserted that they are Starbucks, but the certificate is expired, so the best I can say is that they were Starbucks at some point in the past" is useful and allows an application to take something from the certificate and say something sensible about it. Saying "These folks say they are Starbucks, but I can't confirm it; here's what else they say: they're based in Seattle, they have this logo, and they trade under this stock exchange symbol". All of the rest of the data is public information, easily attainable, but not trusted here and not useful for the purposes of identifying who these folks are. Presenting it could easily give the end user a false sense of trust--"Ah, yes, I recognize all those attributes of Starbucks, so I'll go ahead and click yes". If 3280 is silent about presentation of information from a cert that fails to validate because there may be multiple reasons, I can see your concern about introducing it here. But it strikes me that the right thing to do is to work through that problem for the general case. I think this particular example makes a strong case for why. best regards, Ted Hardie

References:
- Re: Discuss comments on draft-ietf-pkix-logotypes
  - From: Russ Housley <housley@vigilsec.com>
- Re: Discuss comments on draft-ietf-pkix-logotypes
  - From: "Steven M. Bellovin" <smb@research.att.com>
- Re: Discuss comments on draft-ietf-pkix-logotypes
  - From: Margaret Wasserman <mrw@windriver.com>
- Re: Discuss comments on draft-ietf-pkix-logotypes
  - From: hardie@qualcomm.com

Prev by Date: Re: [Rps] Re: Last Call: 'RPSLng' to Proposed Standard
Next by Date: Re: Architectural question for the IAB
Previous by thread: Re: Discuss comments on draft-ietf-pkix-logotypes
Next by thread: Re: Discuss comments on draft-ietf-pkix-logotypes
Index(es):
- Date
- Thread