RE: Secure Internet Letterhead from Hallam-Baker, Phillip on 2007-04-30 (public-wsc-wg@w3.org from April 2007)

From: Hallam-Baker, Phillip <pbaker@verisign.com>
Date: Mon, 30 Apr 2007 07:59:54 -0700
To: "Mary Ellen Zurko" <Mary_Ellen_Zurko@notesdev.ibm.com>
Cc: <public-wsc-wg@w3.org>
Message-ID: <198A730C2044DE4A96749D13E167AD370124CF00@MOU1WNEXMB04.vcorp.ad.vrsn.com>

It seemed to get left out of the minutes

________________________________

From: Mary Ellen Zurko [mailto:Mary_Ellen_Zurko@notesdev.ibm.com]
Sent: Monday, April 30, 2007 9:33 AM
To: Hallam-Baker, Phillip
Cc: public-wsc-wg@w3.org
Subject: Re: Secure Internet Letterhead

I think it wasn't in tracker because Thomas hadn't posted the minutes or condensed list of action items yet.

ACTION-206 for tracker.

Mez

Mary Ellen Zurko, STSM, IBM Lotus CTO Office (t/l 333-6389)
Lotus/WPLC Security Strategy and Patent Innovation Architect

"Hallam-Baker, Phillip" <pbaker@verisign.com>
Sent by: public-wsc-wg-request@w3.org

04/28/2007 08:24 AM

To
<public-wsc-wg@w3.org>
cc
Subject
Secure Internet Letterhead

I took an action item to write this up before next meeting but it does not seem to have made it to the tracker.

Secure Internet letterhead is the display of an authenticated subject brand within secure chrome.

People recognize companies by their brand in atom space, the same cue should be employed ubiquitously in the Internet, securing Web, Email, instant message and other transactions.

The prefered technical implementation is to bind the brand logo (or audio) information to an Extended Validation SSL certificate using the PKIX LOGOTYPE extension. Such a certificate must meet the minimum issuance standards set by CABForum for issue of EV certificates and additional minimum standards.

The principal security concern is to make it uneconomic for a criminal to profit by obtaining an Extended Validation certificate.

The primary defense against default is to ensure issuer and subject accountability. Subject accountability is ensured through the existing EV issue standards. Issuer accountability by means of displaying the issuer brand logo. Issuers in the trust business can be expected to ensure that their security controls are effective in order to protect their brand.

It is anticipated that the CABForum (or other industry forum) shall determine additional issue criteria for letterhead certificates. In particular requirements for authenticating a subject logo by means of trademark registration data and/or an opinion letter. In addition criteria for publication of revocation information may be enhanced, requiring support for OCSP for example.

The specification of issue practices, minimum criteria for revocation etc. are considered to be outside the scope of the WSC working group.

Received on Monday, 30 April 2007 15:10:01 UTC