RE: ISSUE-97: Should logotypes be tied to EV certificates?[Techniques] from michael.mccormick@wellsfargo.com on 2007-08-13 (public-wsc-wg@w3.org from August 2007)

From: <michael.mccormick@wellsfargo.com>
Date: Mon, 13 Aug 2007 09:30:36 -0500
To: <tlr@w3.org>, <public-wsc-wg@w3.org>
Cc: <Pete.Palmer@wellsfargo.com>, <peltond@wellsfargo.com>, <Peri.Drucker@wellsfargo.com>
Message-ID: <9D471E876696BE4DA103E939AE64164D0B0996@msgswbmnmsp17.wellsfargo.com>

Thomas,

I would welcome W3C getting involved in the CAB space, at least at
points where it intersects with the WSC charter.  Which the OID arguably
does since it triggers a security indicator.

However I don't think WSC has the charter to define what "EV-like"
means; that should be the topic of a separate PKI standard based (as a
point of departure) on the EV spec.  I personally believe it should take
the form of an update to X9.79 which is essentially EV's "granddaddy".

Cheers, Mike

-----Original Message-----
From: Thomas Roessler [mailto:tlr@w3.org] 
Sent: Sunday, August 12, 2007 6:41 AM
To: McCormick, Mike
Cc: public-wsc-wg@w3.org
Subject: Re: ISSUE-97: Should logotypes be tied to EV
certificates?[Techniques]

On 2007-08-10 15:02:06 -0500, michael.mccormick@wellsfargo.com
wrote:

> Logotypes should be tied to X.509 certificates that have been strongly

> vetted per EV rules or similar.  WSC cannot mandate EV specifically 
> since it's not a standard.

That's actually not entirely obvious; however, I think the question what
our notion of "EV-like" (or "EV") should be needs to be discussed based
on its merits.

> Plus we should leave the door open to other communities to create 
> "EV-like" X.509 schemes. My industry is currently considering just 
> that.

This ties in an interesting way with the "no public OID for EV behavior"
decision that CAB forum seems to have made, see [1] and follow-ups.

I suppose a cleaner approach would be to have (a) a publicly defined OID
that indicates "EV-like behavior" (logotypes etc); (b) refer to an
out-of-band "qualification" decision taken as a matter of browser
customization.  I also think coming up with such an approach would be
within our scope.

ISSUE-102 [2] tries to capture the two essential questions around this
discussion, for later resolution.

1. http://lists.w3.org/Archives/Public/public-wsc-wg/2007Jul/0301.html
2. http://www.w3.org/2006/WSC/track/issues/102

Regards,
--
Thomas Roessler, W3C  <tlr@w3.org>

Received on Monday, 13 August 2007 14:31:31 UTC