login      my ps      about      contact  



home instructor-led on-demand! screencasts blogs


Security Briefs » Certificates with logotypes

Certificates with logotypes

Security Briefs

Pluralsight Blogs

Syndication

Recent Posts

Tags

View more

Keith's books

Misc

Recent Articles

Archives

A lot of the early documentation on InfoCard focused attention on certificates with logotypes (RFC 3709). The idea here is to move toward a more visual way for humans to recognize certificates. The InfoCard identity selector relies on these logos to help the user decide whether she wants to share identity details with a relying party.

VeriSign has been issuing certificates with their own embedded logo for awhile now. As an example, if you visit https://www.etrade.com and look at its certificate, you'll find a cert extension with an OID of 1.3.6.1.5.5.7.1.12, which is a logotype extension. In this extension, you'll see a mime type such as "image/gif", followed by some binary data, which is the hash of the image, followed by an URL pointing to the image on the web. The identity selector downloads the image, hashes it, checks that the computed hash matches the hash in the cert extension, and then displays the logo to the user.

Here's the rub. While VeriSign is happy to put its own logo in the certificate (the issuer logo), it's not quite as thrilled about putting subject logos in that extension, because the work that would go into verifying those logos can't all be automated, and requires further human intervention. (Consider due diligence such as making sure one guy isn't trying to spoof another guy's logo by making one that looked a lot like it.)

One of the guys in the class made contact with the SSL engineering team at VeriSign and confirmed that indeed subject logotypes aren't on their roadmap, which doesn't bode well for the use of subject logos in the identity selector. I've also heard rumors inside Microsoft that the use of logos may need to be postponed. I wonder if this feature will just be dropped? That would be unfortunate.

Posted Jun 08 2006, 12:11 PM by keith-brown
Filed under: ,

Comments

Norman Diamond wrote re: Certificates with logotypes
on 06-08-2006 5:22 PM
How would the average customer, looking at a web page containing an image, distinguish if the image is a real logotype from VeriSign or just yet another phishing style GIF? When I try to figure out whether a web site is real or not, the images contained in the display have never been part of the investigation.
Keith Brown wrote re: Certificates with logotypes
on 06-08-2006 5:51 PM
I'm talking about the InfoCard selector, not a web page.
Hilton Giesenow wrote re: Certificates with logotypes
on 06-10-2006 2:11 PM
"That would be unfortunate." - whew, no kidding. My understanding was that this was a major component in the anti-phising part of InfoCard.
Phillip Hallam-Baker wrote Support for CardBase was announced at RSA 2006
on 06-16-2006 1:28 PM
I am somewhat concerned that someone would tell you that a product is not on the roadmap when it was announced at RSA 2006. VeriSign is committed to support InfoCard (now Windows Cardbase).

The problem seems to be that you contacted a member of the engineering team. That is not a good way to get accurate information on future plans.

At present the requirements for issuing certificates in IE7 are being discussed by a cross vendor forum. The requirements that the group has produced for 'Extended Validation' certificates (also known at one point as High Assurance) will be enforced in IE7. If you have an EV certificate the toolbar will 'go green' when you are connected to the site via SSL.

At this point discussion has not yet started on the criteria for issuing Logotype certificates, the plan is to move onto this topic only after the basic EV discussion is complete. It is clear that meeting the EV criteria will be the essential minimum. What is necessary beyond that needs to have a wider debate amongst CAs and the providers of the relying applications.

Certainly there is a high degree of commitment to the idea of logotype certificates. I have spoken on the need for Secure Letterhead at 20 venues in the past 12 months and I have two more engagements next week.

The problem is entirely getting support from the client applications, in particular Web and Email.
Keith Brown wrote re: Certificates with logotypes
on 06-16-2006 2:07 PM
I imagine that VeriSign could announce support for CardSpace without supporting subject logotypes (which is what my post was about), especially since I've been told by folks inside MS that the whole logo story may be put off to a future version.

Did VeriSign announce that they were going to start issuing certs with subject logotypes? I've done my own research on high-assurance certs and I've seen nothing about subject logotypes being discussed by the major vendor Please point me to something that contradicts this. A web page at VeriSign saying that subject logotypes are part of the high-assurance certs they'll be issuing would be perfect!

I'd love to be wrong here.
Garrett Serack [MSFT] wrote re: Certificates with logotypes
on 07-06-2006 9:22 PM
Keith,

I'll tell you straight-up. Logo extensions are fully supported by CardSpace.

Here's the caveat: the committee for HA certificates is still working through some of the social/legal issues. When those last few details are hammered out, new CA roots will be distributed, and certificates issued from those roots would be HA.

Aaaaaaand... logotype extensions are only shown in CardSpace for HA Certs. (aha!)

My entire sample suite for CardSpace is all done under a set HA/LogoType'd certificates, all issued off a sample root CA.

I imagine what you are hearing is not the features are being put off, but rather that they are not being emphasized, as it will be still some time before the root CAs are distributed.


Garrett Serack | Program Manager | Connected Identity and Directory| Microsoft Corporation
email/messenger: garretts@microsoft.com
blog: http://blogs.msdn.com/garretts
קולנוע wrote re: Certificates with logotypes
on 07-10-2006 8:55 AM
many problems with RFC 3709
Audian Paxson wrote re: Certificates with logotypes
on 08-14-2006 6:12 AM
Hi Keith,

We have provided a 'similar' service for about a year now. Uses a combination of email authentication (SPF, SID, DK, DKIM) plus...a proprietary get identities call sorta similar to X509. Today the consumer (after downloading our plug in) sees gold locks next to the sender's name (in an area that bad guys can't easily diddle). A mouse over the gold lock in list view or full view displays a certificate. Some of our senders ask us to display a logo in addition to the gold lock, others just stick with the gold lock. Without a doubt, the most difficult task in doing this is the process of verifying the legitimacy of the mark, who owns it and are we working with the person(s) that have permission to use this mark. Integrity to this process is key!

Audian Paxson

Add a Comment

(required)  
(optional)
(required)  
Remember Me?


home instructor-led training online training blogs

781.749.9238 (East Coast) | 310.251.9901 (West Coast) | Pluralsight, LLC , 185 Lincoln St., Suite 305, Hingham, MA 02043-1741

Copyright © 2008 Pluralsight LLC. All rights reserved.

designed by nukeation