Russ, On Wed, Jul 10, 2019 at 11:41 AM housley--- via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> On Friday, July 5, 2019 at 7:53:45 PM UTC-4, Wayne Thayer wrote: > > Based on this discussion, I propose adding the following statement to the > > Mozilla Forbidden Practices wiki page [1]: > > > > ** Logotype Extension ** > > Due to the risk of misleading Relying Parties and the lack of defined > > validation standards for information contained in this field, as > discussed > > here [2], CAs MUST NOT include the RFC 3709 Logotype extension in CA or > > Subscriber certificates. > > > > Please respond if you have concerns with this change. As suggested in > this > > thread, we can discuss removing this restriction if/when a robust > > validation process emerges. > > > > - Wayne > > > > [1] https://wiki.mozilla.org/CA/Forbidden_or_Problematic_Practices > > [2] > > > https://groups.google.com/d/msg/mozilla.dev.security.policy/nZoK5akw2c8/ZtF0WZY8AgAJ > > People find logos very helpful. That is why many browsers display a tiny > logo in the toolbar. > > I would suggest that a better way forward is to start the hard work on the > validation process. It will not be difficult for that to become more > robust and accessible than the logos in the toolbar. > > Perhaps one of us is confused because I think we're saying the same thing - that rules around inclusion of Logotype extensions in publicly-trusted certs should be in place before CAs begin to use this extension. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
