On Thu, Jun 13, 2019 at 2:04 AM kirkhalloregon--- via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> Jeremy is correct - including strongly verified registered trademarks via > extensions in EV certs is permitted (i.e., not forbidden) by BR Section > 7.1.2.4. It's unclear to me if Jeremy was taking a position versus sharing an interpretation. I think it may be useful to frame it as an interpretation, and then to provide support and evidence for that interpretation, and whether or not you agree or disagree with other interpretations, and why. [In an official capacity] As Google shared during the recent CA/Browser Forum, our view is that such certificates violate Section 7.1.2.4, especially as proposed to be validated here, and as such, are misissuance. The proposed algorithm, as stated, does not meet the requirements of 7.1.2.4. Advocates in favor of finding an acceptable interpretation are welcome to attempting refinements to the algorithm in order to satisfy the requirements of the Baseline Requirements, but issuing as described will be misissuance and will require a CA incident report to be filed. With respect to logos in particular, our view is that there is a substantially higher bar here that needs to be met to avoid misleading Relying Parties and to provide the appropriate evidence of validation in an unambiguous fashion. [In a personal capacity] As mentioned in the CA/Browser Forum, this topic has been discussed in IETF [1], and the many obvious flaws in the proposal have been pointed out by a number of members of that community. While advocates for BIMI - which is proposed as applicable in the context of S/MIME - have not meaningfully addressed or even acknowledged these concerns, there is a broader consensus about the problems. As noted, the use of trademarks and logos, particularly as described, has a high likelihood of user confusion due to the necessary and inherent nature of global trademark usage [2]. Much as we recognize the necessary value to include the full jurisdiction information for incorporation - for example, the use of "Franchise World Headquarters LLC [US]" is known and has been shown to be misleading [3], even though expressly permitted. Among other things, the reason for this is that the country alone is not sufficient to disambiguate things, and requires the full jurisdiction display - which is problematic with respect to usability and accessibility. If we apply this principle with respect to logos, to avoid misleading relying parties, we would need to show specific trademark registration numbers and ensure users understood the appropriate distinction of trademark and wordmark registries, and their limitations. If users were to rely on only parts of this information, much as some have been mislead to do so with EV, we can see situations such as Stripe, where users are mislead by the partial information. It's important to note that even the advocates within BIMI for the inclusion of Logos have repeatedly made it clear that BIMI MUST NOT be used to reduce user confusion or be interpreted as a security technologies, because logos do not provide security benefits. To put it differently, the loudest current advocates for inclusion of logos in certificates make it clear that they will **mislead relying parties**, which is a position I strongly I agree with, and which, as noted above, is also Google's official position on this. BIMI advocates have made it clear that they do not believe this can improve security or trust, and that its value is purely as a marketing tool for brands, and that marketing value is useful for coercive value into getting such brands to invest in actual technologies that improve trust and safety (such as DKIM and DMARC). We must not lose sight of that. While I appreciate the attempt to resolve some of the past concerns around the global legal framework with respect to trademarks, by only allowing American companies to benefit, I think we can agree that form of cultural imperialism is not well-placed in a global Internet. Similarly, as many have highlighted, such an approach is fundamentally hostile to accessibility goals. For example, even if the misguided and unsupported assertion is that it improves security were true, then it fundamentally only improves security for users without vision impairments, for example. I can understand and appreciate arguments that some may be better than none, but I suspect our time would be better spent looking for ways to improve the security for all users, and on an Internet scale. I think, within this community, we are all strongly in support of ways to improve user security on the Web. As we all know and understand, the foundation for the Web security model is the origin - the scheme, host, and port. In the context of TLS, the role of certificates is to thus bind a public key to an origin, so that users and user agents can be reliably assured that they are talking to the correct origin, which is the basis of Internet security and trust, ensuring no parties on the network can intercept or manipulate content. While suggestions to add additional information to certificates exist, it's important to note that there is no technical reason to embed these within TLS certificates on a technological level, and there's ample research and experience showing how doing so harms users security and trust. The conflation of additional information, as proposed, harms end users' security, by reducing the agility and increasing the difficulty of the TLS ecosystem. Furthermore, such additional information demonstrably does not improve users' security, as it does not factor into the origin security model. Many alternative technologies exist to improve user trust, which is important to separate from user security, but it's equally important to note that the inclusion of such additional organizational information within certificates has been rigorously and repeatedly shown not to improve trust qualitatively or quantitatively. While I can understand that some enterprises may not fully understand how Web security or their users work, I think we should focus on delivering solutions that are sound for users and user security. In particular, I think solutions such as logos in certificates, are actively harmful to the ecosystem as a whole. More importantly, however, I do not believe they are acceptable to include in certificates. [1] https://mailarchive.ietf.org/arch/browse/bimi/ [2] http://whatculture.com/offbeat/10-massive-companies-unbelievably-similar-logos [3] https://stripe.ian.sh/ _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
