draft-ietf-pkix-logotypes-09.txt

PKIX的RFC英文文档

   using the logotype graphic unless an appropriate warning is given to
   the end user.

   Certification paths may also impose name constraints that are
   systematically checked during certification path processing, which,
   in theory, may be circumvented by logotypes.

   Certificate path processing as defined in RFC 3280 [PKIX-1] does not
   constrain the inclusion of logotype data in certificates. A parent CA
   can constrain certification path validation such that subordinate CAs
   cannot issue valid certificates to end-entities outside a limited
   name space or outside specific certificate polices. A malicious CA
   can comply with these name and policy requirements and still include
   inappropriate logotypes in the certificates that it issues. These
   certificates will pass the certification path validation algorithm,
   which means the client will trust the logotypes in the certificates.
   Since there is no technical mechanism to prevent or control
   subordinate CAs from including the logotype extension or its
   contents, where appropriate, a parent CA could employ a legal
   agreement to impose a suitable restriction on the subordinate CA.
   This situation is not unique to the logotype extension.

   The controls available to a parent CA to protect itself from rogue
   subordinate CAs are non-technical. They include:

     - Contractual agreements of suitable behavior, including
       terms of liability and severance pay in case of material
       breach.

     - Control mechanisms and procedures to monitor and
       follow-up behavior of subordinate CAs.




Santesson, Housley, & Freeman                                  [Page 14]

INTERNET DRAFT       Logotypes in X.509 Certificates       December 2002


     - Use of certificate policies to declare assurance level
       of logotype data as well as to guide applications on how
       to treat and display logotypes.

     - Use of revocation functions to revoke any misbehaving CA.

   There is not a simple, straightforward, and absolute technical
   solution. Rather, involved parties must settle some aspects of PKI
   outside the scope of technical controls. As such, issuers need to
   clearly identify and communicate the associated risks.

8. References

   [CMS]        R. Housley, Cryptographic Message Syntax (CMS), RFC 3369,
                August 2002.

   [LANGCODES]  H. T. Alvestrand, "Tags for Identification of Languages",
                RFC 3066, January 2001.

   [PKIX-1]     R. Housley, W. Polk, W. Ford, and D. Solo, "Internet
                X.509 Public Key Infrastructure: Certificate and
                Certificate Revocation List (CRL) Profile", RFC 3280,
                April 2002.

   [SHS]        Federal Information Processing Standards Publication
                (FIPS PUB) 180-1, Secure Hash Standard, 17 April 1995.
                [Supersedes FIPS PUB 180 dated 11 May 1993.]

   [STDWORDS]   S. Bradner, "Key words for use in RFCs to Indicate
                Requirement Levels", RFC 2119, March 1997.

   [HTTP/1.1]   UC Irvine, J. Gettys, J. Mogul, H. Frystyk, L. Masinter,
                P. Leach and T. Berners-Lee, "Hypertext Transfer Protocol
                -- HTTP/1.1", RFC 2616

   [URI]        T. Berners-Lee, R. Fielding, L. Masinter, "Uniform Resource
                Identifiers (URI): Generic Syntax", RFC 2396, August 1998.

   [X.208-88]   CCITT Recommendation X.208: Specification of Abstract
                Syntax Notation One (ASN.1), 1988.

   [X.209-88]   CCITT Recommendation X.209: Specification of Basic
                Encoding Rules for Abstract Syntax Notation One (ASN.1),
                1988.

   [X.509-88]   CCITT Recommendation X.509: The Directory -
                Authentication Framework.  1988.




Santesson, Housley, & Freeman                                  [Page 15]

INTERNET DRAFT       Logotypes in X.509 Certificates       December 2002


APPENDIX A. ASN.1 Module

   LogotypeCertExtn
     { iso(1) identified-organization(3) dod(6) internet(1)
       security(5) mechanisms(5) pkix(7) id-mod(0)
       id-mod-logotype(22) }

   DEFINITIONS IMPLICIT TAGS ::=
   BEGIN

   IMPORTS
      AlgorithmIdentifier FROM PKIX1Explicit88 -- RFC 3280
        { iso(1) identified-organization(3) dod(6) internet(1)
          security(5) mechanisms(5) pkix(7) id-mod(0)
          id-pkix1-explicit(18) };


   -- Logotype Extension OID

   id-pe-logotype  OBJECT IDENTIFIER  ::=
      { iso(1) identified-organization(3) dod(6) internet(1)
        security(5) mechanisms(5) pkix(7) id-pe(1) 12 }


   -- Logotype Extension Syntax

   LogotypeExtn ::= SEQUENCE {
      communityLogos  [0] SEQUENCE OF LogotypeInfo OPTIONAL,
      issuerLogo      [1] LogotypeInfo OPTIONAL,
      subjectLogo     [2] LogotypeInfo OPTIONAL,
      otherLogos      [3] SEQUENCE OF OtherLogotypeInfo OPTIONAL }

   LogotypeInfo ::= CHOICE {
      direct          [0] LogotypeData,
      indirect        [1] LogotypeReference }

   LogotypeData ::= SEQUENCE {
      image           SEQUENCE OF LogotypeImage OPTIONAL,
      audio           [1] SEQUENCE OF LogotypeAudio OPTIONAL }

   LogotypeImage ::= SEQUENCE {
      imageDetails    LogotypeDetails,
      imageInfo       LogotypeImageInfo OPTIONAL }

   LogotypeAudio ::= SEQUENCE {
      audioDetails    LogotypeDetails,
      audioInfo       LogotypeAudioInfo OPTIONAL }




Santesson, Housley, & Freeman                                  [Page 16]

INTERNET DRAFT       Logotypes in X.509 Certificates       December 2002


   LogotypeDetails ::= SEQUENCE {
      mediaSubType    IA5String, -- MIME image or audio subtype
      logotypeHash    SEQUENCE SIZE (1..MAX) OF HashAlgAndValue,
      logotypeURI     SEQUENCE SIZE (1..MAX) OF IA5String }

   LogotypeImageInfo ::= CHOICE {
      grayScale       [0] LogotypeGrayScaleImageInfo,
      color           [1] LogotypeColorImageInfo }

   LogotypeGrayScaleImageInfo ::= SEQUENCE {
      fileSize        INTEGER,  -- In octets
      xSize           INTEGER,  -- Horizontal size in pixels
      ySize           INTEGER,  -- Vertical size in pixels
      numLevels       INTEGER } -- # of grayscale levels in bits

   LogotypeColorImageInfo ::= SEQUENCE {
      fileSize        INTEGER,  -- In octets
      xSize           INTEGER,  -- Horizontal size in pixels
      ySize           INTEGER,  -- Vertical size in pixels
      numColors       INTEGER } -- # of colors in bits

   LogotypeAudioInfo ::= SEQUENCE {
      fileSize        INTEGER, -- In octets
      playTime        INTEGER, -- In milliseconds
      sampleRate      INTEGER, -- Samples per second
      channels        INTEGER, -- 1=mono, 2=stereo, 4=quad
      language        IA5String OPTIONAL } -- RFC 3066 Language Tag

   OtherLogotypeInfo ::= SEQUENCE {
      logotypeType    OBJECT IDENTIFIER,
      info            LogotypeInfo }

   LogotypeReference ::= SEQUENCE {
      refStructHash   SEQUENCE SIZE (1..MAX) OF HashAlgAndValue,
      refStructURI    SEQUENCE SIZE (1..MAX) OF IA5String }
                         -- Places to get the same "LTD" file

   -- Note: The content of referenced "LTD" files is defined by the
   --       LogotypeData type

   HashAlgAndValue ::= SEQUENCE {
      hashAlg         AlgorithmIdentifier,
      hashValue       OCTET STRING }








Santesson, Housley, & Freeman                                  [Page 17]

INTERNET DRAFT       Logotypes in X.509 Certificates       December 2002


   -- Other logotype type OIDs

   id-logo OBJECT IDENTIFIER ::= { iso(1) identified-organization(3)
      dod(6) internet(1) security(5) mechanisms(5) pkix(7) 20 }

   id-logo-loyalty    OBJECT IDENTIFIER ::= { id-logo 1 }
   id-logo-background OBJECT IDENTIFIER ::= { id-logo 2 }


   END









































Santesson, Housley, & Freeman                                  [Page 18]

INTERNET DRAFT       Logotypes in X.509 Certificates       December 2002


APPENDIX B. Acknowledgments

   This document is the result of contributions from many professionals.
   The authors appreciate contributions from all members of the IETF
   PKIX Working Group. We extend a special thanks to Al Arsenault, David
   Cross, Tim Polk, Russel Weiser, Terry Hayes, Alex Deacon, Andrew
   Hoag, Randy Sabett, Denis Pinkas, Magnus Nystrom, and Phil Griffin
   for their efforts and support.

APPENDIX C. Author Addresses

   Stefan Santesson
   AddTrust AB
   P.O. Box 465
   S-201 24 Malmoe
   Sweden
   stefan@addtrust.com

   Russell Housley
   RSA Laboratories
   918 Spring Knoll Drive
   Herndon, VA 20170
   USA
   rhousley@rsasecurity.com

   Trevor Freeman
   Microsoft Corporation
   One Microsoft Way
   Redmond WA 98052
   USA
   trevorf@microsoft.com




















Santesson, Housley, & Freeman                                  [Page 19]

INTERNET DRAFT       Logotypes in X.509 Certificates       December 2002


Full Copyright Statement

   Copyright (C) The Internet Society (2002). All Rights Reserved.

   This document and translations of it may be copied and furnished to
   others, and derivative works that comment on or otherwise explain it
   or assist in its implementation may be prepared, copied, published
   and distributed, in whole or in part, without restriction of any
   kind, provided that the above copyright notice and this paragraph are
   included on all such copies and derivative works.  In addition, the
   ASN.1 modules presented in Appendices A and B may be used in whole or
   in part without inclusion of the copyright notice.  However, this
   document itself may not be modified in any way, such as by removing
   the copyright notice or references to the Internet Society or other
   Internet organizations, except as needed for the purpose of
   developing Internet standards in which case the procedures for
   copyrights defined in the Internet Standards process shall be
   followed, or as required to translate it into languages other than
   English.

   The limited permissions granted above are perpetual and will not be
   revoked by the Internet Society or its successors or assigns. This
   document and the information contained herein is provided on an "AS
   IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK
   FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT
   LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL
   NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY
   OR FITNESS FOR A PARTICULAR PURPOSE.























Santesson, Housley, & Freeman                                  [Page 20]