- From: Hallam-Baker, Phillip <pbaker@verisign.com>
- Date: Mon, 4 Jun 2007 10:18:39 -0700
- To: <public-wsc-wg@w3.org>
- Message-ID: <198A730C2044DE4A96749D13E167AD37012A5DF2@MOU1WNEXMB04.vcorp.ad.vrsn.com>
I added the Secure Letterhead proposal to the Wiki: http://www.w3.org/2006/WSC/wiki/RecommendationDisplayProposals/Letterhead One 'cleanup action' that needs to happen here is to propose to the IETF a mechanism for including text descriptions of community logos into the LOGOTYPE spec. Title * Secure Internet Letterhead Goals Secure Internet Letterhead addresses the following goals: * User awareness of security information * Reliable presentation of security information * Reduce the number of scenarios in which users need to make trust decisions * Best practices for other media Overview Secure Internet Letterhead consists of the use of a PKIX Logotype extension within an EV certificate to display the brand of the certificate issuer, subject and/or communit(ies) within a framework that establishes accountability and hence trustworthiness. Dependencies Secure Internet Letterhead depends upon the SSL server certificate chain information and in particular the presence of a certificate issuer specific certificate policy extension OID for EV and a PKIX LOGOTYPE extension. Use-cases Secure Internet Letterhead addresses essentially the same use cases as for EV. The difference is that Secure Internet Letterhead provides a more direct connection to the frrame of reference in which the typical user evaluates trust decisions (i.e. brands as opposed to names). As such the presentation of the Secure Internet Letterhead information requires certificate issuers to raise their game and make the utmost effort to ensure the reliability and trustworthiness of the information they present. Expected User behavior The expected user behavior is similar to that of EV except that: * A first time user who decides that they require additional assurance MAY look at the secondary chrome dialogue to determine which community logos are presented. For example Alice may want to know if her bank is FDIC insured on her first visit but is unlikely to require this on subsequent visits. * A frequent visitor to the site MAY be expected to look for the letterhead as the primary indication that the intended site is being visited. * The letterhead concept is intended to be ubiquitous and apply to every mode of Internet communication. Disruption As with EV, Secure Internet Letterhead does not mandate a user experience. It is however entirely possible to porovide a non-intrusive user experience. Accessibility The information provided by Secure Internet Letterhead is in addition to the information already provided in an X.509v3 certificate and not a substitute. Browsers designed for use by blind and partially sighted users should consider employing the existing X.509v3 subject and issuer information instead. Certificate issuers should provide an accessible means of entering community accreditation information. Although the PKIX Logotype specification describes the presentation of audio instead of images the use of this information is problematic due to the lack of a consistent and comprehensive use of audible brands. References * [RecommendationDisplayProposals <http://www.w3.org/2006/WSC/wiki/RecommendationDisplayProposals> /EVCerts Extended Validation Certificates] * [tbs RFC ???? PKIX LOGOTYPE Extension]
Received on Monday, 4 June 2007 17:20:01 UTC