We wanted to experiment a bit with logotype extensions and trademarks, but we heard from the CAB Forum that whether inclusion is allowed is subject a bit to interpretation by the browsers.
>From the BRs section 7.1.2.4 "All other fields and extensions MUST be set in accordance with RFC 5280. The CA SHALL NOT issue a Certificate that contains a keyUsage flag, extendedKeyUsage value, Certificate extension, or other data not specified in section 7.1.2.1, 7.1.2.2, or 7.1.2.3 unless the CA is aware of a reason for including the data in the Certificate. CAs SHALL NOT issue a Certificate with: a. Extensions that do not apply in the context of the public Internet (such as an extendedKeyUsage value for a service that is only valid in the context of a privately managed network), unless: i. such value falls within an OID arc for which the Applicant demonstrates ownership, or ii. the Applicant can otherwise demonstrate the right to assert the data in a public context; or b. semantics that, if included, will mislead a Relying Party about the certificate information verified by the CA (such as including extendedKeyUsage value for a smart card, where the CA is not able to verify that the corresponding Private Key is confined to such hardware due to remote issuance)." In this case, the logotype extension would have a trademark included (or link to a trademark). I think this allowed as: 1. There is a reason for including the data in the Certificate (to identify a verified trademark). Although you may disagree about the reason for needing this information, there is a not small number of people interested in figuring out how to better use identification information. No browser would be required to use the information (of course), but it would give organizations another way to manage certificates and identity information - one that is better (imo) than org information. 2. The cert applies in the context of the public Internet. Trademarks/identity information is already included in the BRs. 3. The trademark does not falls within an OID arc for which the Applicant demonstrates ownership (no OID included). 4. The Applicant can otherwise demonstrate the right to assert the data in a public context. If we vet ownership of the trademark with the appropriate office, there's no conflict there. 5. Semantics that, if included, will not mislead a Relying Party about the certificate information verified by the CA (such as including extendedKeyUsage value for a smart card, where the CA is not able to verify that the corresponding Private Key is confined to such hardware due to remote issuance). None of these examples are very close to the proposal. What I'm looking for is not a discussion on whether this is a good idea, but rather is it currently permitted under the BRs per Mozilla's interpretation. I'd like to have the "is this a good idea" discussion, but in a separate thread to avoid conflating permitted action compared to ideal action. Jeremy
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy