Skip to main content

Internet X.509 Public Key Infrastructure -- Certificate Image
draft-ietf-pkix-certimage-11

Revision differences

Document history

Date Rev. By Action
2012-08-22
11 (System) post-migration administrative database adjustment to the No Objection position for Sean Turner
2012-08-22
11 (System) post-migration administrative database adjustment to the No Objection position for Ralph Droms
2012-08-22
11 (System) post-migration administrative database adjustment to the No Objection position for Dan Romascanu
2012-08-22
11 (System) post-migration administrative database adjustment to the No Objection position for David Harrington
2011-02-18
11 Cindy Morgan State changed to RFC Ed Queue from Approved-announcement sent.
2011-02-15
11 (System) IANA Action state changed to No IC from In Progress
2011-02-15
11 (System) IANA Action state changed to In Progress
2011-02-15
11 Amy Vezza IESG state changed to Approved-announcement sent
2011-02-15
11 Amy Vezza IESG has approved the document
2011-02-15
11 Amy Vezza Closed "Approve" ballot
2011-02-15
11 Amy Vezza Approval announcement text regenerated
2011-02-15
11 Amy Vezza Ballot writeup text changed
2011-02-15
11 Amy Vezza State changed to Approved-announcement to be sent from IESG Evaluation.
2011-02-15
11 Amy Vezza State changed to IESG Evaluation from Waiting for AD Go-Ahead.
2011-02-15
11 Alexey Melnikov [Ballot Position Update] Position for Alexey Melnikov has been changed to No Objection from Discuss
2011-02-15
11 (System) New version available: draft-ietf-pkix-certimage-11.txt
2011-02-10
11 Tim Polk Ballot writeup text changed
2010-12-22
11 Alexey Melnikov
[Ballot comment]
As W3C has finally requested registration of image/svg+xml (see ), I am going to unblock this draft on the image/svg+xml registration issue.


1) …
[Ballot comment]
As W3C has finally requested registration of image/svg+xml (see ), I am going to unblock this draft on the image/svg+xml registration issue.


1) 5. Embedded images

  The certificate image otherLogos type MAY be stored within the
  logotype extension using the "data" URL scheme defined in RFC 2397
  [RFC2397] if the logotype image is provided through direct
  addressing, i.e. the image is referenced using the LogotypeDetails
  structure.

To clarify: this document doesn't update RFC 3709 to allow use of "data" in
    1) Community logotype
    2) Issuer organization logotype
    3) Subject organization logotype
?

2) 4.2. PNG

  If a certificate image is provided as a bit mapped image, the PNG
  [ISO15948] format SHOULD be used.

  PNG images are identified by the following mediaType in
  LogotypeDetails:

      image/png

It is a shame that there is no RFC that describe this MIME type. But this is not a problem of this document.


3) I have some small set of issues on RFC 3709, which would have been a COMMENT level material if I were to review it for IESG:

In Section 4.1 of RFC 3709:

LogotypeDetails ::= SEQUENCE {
  mediaType      IA5String, -- MIME media type name and optional
                              -- parameters

The format of this field is not specified. This turned out to be an interop problem in some other similar cases.


In Section 4.1 of RFC 3709:

LogotypeImageInfo ::= SEQUENCE {
  type            [0] LogotypeImageType DEFAULT color,
  fileSize        INTEGER,  -- In octets
  xSize          INTEGER,  -- Horizontal size in pixels
  ySize          INTEGER,  -- Vertical size in pixels
  resolution      LogotypeImageResolution OPTIONAL,
  language        [4] IA5String OPTIONAL }  -- RFC 3066 Language Tag

I have to say that I don't see much point in tagging *images* with a language tag. If the image is in a format like PDF, then one would hope that language tagging is possible in the document itself. If the image is in a format like text/plain, then it is not really an image.

But I suppose this is mostly harmless, as long as any language tagging information in the media itself overrides this value.
So I think this is something that needs to be clarified if RFC 3709 is updated.

[...]

  When using indirect addressing, the URI (refStructURI) pointing to
  the external data structure MUST point to a binary file containing
  the DER encoded data with the syntax LogotypeData.  The referenced
  file name SHOULD include a file extension of "LTD".

This should have been a proper MIME type registration. I don't think it is possible to just register a file extension.
2010-12-22
11 Alexey Melnikov
[Ballot discuss]
This is a fine document and I generally support its publication:

5) (Thanks to Robert)

In Section 5.2:

  The referenced SVG file …
[Ballot discuss]
This is a fine document and I generally support its publication:

5) (Thanks to Robert)

In Section 5.2:

  The referenced SVG file MAY be provided in GZIP [RFC1952] compressed
  form as an SVGZ file according to section 1.2 in SVG 1.1 [SVG].

According to the updated MIME type registration (see ), this text is no longer correct.

If you want to be able to use this feature, you need to add a new parameter that can be used to specify Content encoding.
2010-12-21
11 Tim Polk Ballot writeup text changed
2010-12-15
11 Alexey Melnikov
[Ballot comment]
As W3C has finally requested registration of image/svg+xml (see ), I am going to unblock this draft on the image/svg+xml registration issue.


1) …
[Ballot comment]
As W3C has finally requested registration of image/svg+xml (see ), I am going to unblock this draft on the image/svg+xml registration issue.


1) 5. Embedded images

  The certificate image otherLogos type MAY be stored within the
  logotype extension using the "data" URL scheme defined in RFC 2397
  [RFC2397] if the logotype image is provided through direct
  addressing, i.e. the image is referenced using the LogotypeDetails
  structure.

To clarify: this document doesn't update RFC 3709 to allow use of "data" in
    1) Community logotype
    2) Issuer organization logotype
    3) Subject organization logotype
?

2) 4.2. PNG

  If a certificate image is provided as a bit mapped image, the PNG
  [ISO15948] format SHOULD be used.

  PNG images are identified by the following mediaType in
  LogotypeDetails:

      image/png

It is a shame that there is no RFC that describe this MIME type. But this is not a problem of this document.


3) I have some small set of issues on RFC 3709, which would have been a COMMENT level material if I were to review it for IESG:

In Section 4.1 of RFC 3709:

LogotypeImageInfo ::= SEQUENCE {
  type            [0] LogotypeImageType DEFAULT color,
  fileSize        INTEGER,  -- In octets
  xSize          INTEGER,  -- Horizontal size in pixels
  ySize          INTEGER,  -- Vertical size in pixels
  resolution      LogotypeImageResolution OPTIONAL,
  language        [4] IA5String OPTIONAL }  -- RFC 3066 Language Tag

I have to say that I don't see much point in tagging *images* with a language tag. If the image is in a format like PDF, then one would hope that language tagging is possible in the document itself. If the image is in a format like text/plain, then it is not really an image.

But I suppose this is mostly harmless, as long as any language tagging information in the media itself overrides this value.
So I think this is something that needs to be clarified if RFC 3709 is updated.

[...]

  When using indirect addressing, the URI (refStructURI) pointing to
  the external data structure MUST point to a binary file containing
  the DER encoded data with the syntax LogotypeData.  The referenced
  file name SHOULD include a file extension of "LTD".

This should have been a proper MIME type registration. I don't think it is possible to just register a file extension.
2010-12-15
11 Alexey Melnikov
[Ballot discuss]
This is a fine document and I generally support its publication:

3) I have some small set of issues on RFC 3709, …
[Ballot discuss]
This is a fine document and I generally support its publication:

3) I have some small set of issues on RFC 3709, which would have been DISCUSS level material if I were to review it for IESG. So this is DISCUSS DISCUSS (i.e. I want to discuss it with the rest of IESG):

In Section 4.1 of RFC 3709:

LogotypeDetails ::= SEQUENCE {
  mediaType      IA5String, -- MIME media type name and optional
                              -- parameters

The format of this field is not specified. This turned out to be an interop problem in some other similar cases.

Alexey: Sorry, but I don't remember what was decided about this issue?


5) (Thanks to Robert)

In Section 5.2:

  The referenced SVG file MAY be provided in GZIP [RFC1952] compressed
  form as an SVGZ file according to section 1.2 in SVG 1.1 [SVG].

According to the updated MIME type registration (see <), this text is no longer correct.

If you want to be able to use this feature, you need to add a new parameter that can be used to specify Content encoding.
2010-11-01
11 Dan Romascanu
[Ballot comment]
In Section 3:

The optional LogotypeImageInfo structure is defined in [RFC3709] and
  is included here for convenience:

      …
[Ballot comment]
In Section 3:

The optional LogotypeImageInfo structure is defined in [RFC3709] and
  is included here for convenience:

      LogotypeImageInfo ::= SEQUENCE {
        type          [0] LogotypeImageType DEFAULT color,
        fileSize      INTEGER,  -- In octets
        xSize        INTEGER,  -- Horizontal size in pixels
        ySize        INTEGER,  -- Vertical size in pixels
        resolution    LogotypeImageResolution OPTIONAL,
        language      [4] IA5String OPTIONAL }  -- RFC 3066 Language Tag

Alexey already observed in a COMMENT that it looks useless to tag a logo image for language. Moreover, RFC 3709 is using the RFC 3066 Lamnguage Tag, while 3066 was obsolete by RFC 4646 which was later obsoleted by RFC 5646. I wonder if this would not rather cause problems than help.

I suggest the following:

- explain why a language tag is useful in a logo image

- clarify if the RFC 3066 tag still applies  although RFC 3066 was twice obsolete since it was published by RFC 4646 and  RFC 5646
2010-11-01
11 Dan Romascanu
[Ballot comment]
In Section 3:

The optional LogotypeImageInfo structure is defined in [RFC3709] and
  is included here for convenience:

      …
[Ballot comment]
In Section 3:

The optional LogotypeImageInfo structure is defined in [RFC3709] and
  is included here for convenience:

      LogotypeImageInfo ::= SEQUENCE {
        type          [0] LogotypeImageType DEFAULT color,
        fileSize      INTEGER,  -- In octets
        xSize        INTEGER,  -- Horizontal size in pixels
        ySize        INTEGER,  -- Vertical size in pixels
        resolution    LogotypeImageResolution OPTIONAL,
        language      [4] IA5String OPTIONAL }  -- RFC 3066 Language Tag

Alexey already observed in a COMMENT that it looks useless to tag a logo image for language. Moreover, RFC 3709 is using the RFC 3066 Lamnguage Tag, while 3066 was obsolete by RFC 4646 which was later obsoleted by RFC 5646. I wonder if this would not rather cause problems than help.

I suggest to following:

- explain why a language tag is useful in a logo image

- clarify if the RFC 3066 tag still applies  although RFC 3066 was twice obsolete since it was published by RFC 4646 and  RFC 5646
2010-11-01
11 Dan Romascanu [Ballot Position Update] Position for Dan Romascanu has been changed to No Objection from Discuss by Dan Romascanu
2010-10-31
11 Alexey Melnikov
[Ballot discuss]
This is a fine document and I generally support its publication:

3) I have some small set of issues on RFC 3709, …
[Ballot discuss]
This is a fine document and I generally support its publication:

3) I have some small set of issues on RFC 3709, which would have been DISCUSS level material if I were to review it for IESG. So this is DISCUSS DISCUSS (i.e. I want to discuss it with the rest of IESG):

In Section 4.1 of RFC 3709:

LogotypeDetails ::= SEQUENCE {
  mediaType      IA5String, -- MIME media type name and optional
                              -- parameters

The format of this field is not specified. This turned out to be an interop problem in some other similar cases.

  logotypeHash    SEQUENCE SIZE (1..MAX) OF HashAlgAndValue,
  logotypeURI    SEQUENCE SIZE (1..MAX) OF IA5String }

4) Process related issue: image/svg+xml MIME type is not registered in the IANA MIME type registry.

Update on 31 October 2010: I am still waiting for W3C to submit the registration of image/svg+xml to IESG for approval.

5) (Thanks to Robert)

In Section 5.2:

  The referenced SVG file MAY be provided in GZIP [RFC1952] compressed
  form as an SVGZ file according to section 1.2 in SVG 1.1 [SVG]. Hash
  over the SVGZ file is calculated over the decompressed SVG content
  with canonicalized EOL characters () as specified above.

This would require a separate MIME type registration. I don't think it is Ok to just reuse image/svg+xml.

Update on 31 October 2010: Discussions with MIME experts in IETF and W3C suggest that IETF+W3C might need to work on an update to MIME to clarify this issue. One possible outcome might be to allow this variance for use in HTTP.
2010-10-11
11 Ralph Droms
[Ballot comment]
updated 2010-10-11

Abstract should not include citations (e.g., [RFC5280]).

Please reword "to a [RFC5280] public key certificate"; e.g., "to …
[Ballot comment]
updated 2010-10-11

Abstract should not include citations (e.g., [RFC5280]).

Please reword "to a [RFC5280] public key certificate"; e.g., "to a
public key certificate as defined in RFC 5280."
2010-10-11
11 Ralph Droms [Ballot Position Update] Position for Ralph Droms has been changed to No Objection from Discuss by Ralph Droms
2010-08-24
11 Cindy Morgan State changed to Waiting for AD Go-Ahead from In Last Call by Cindy Morgan
2010-08-16
11 Sean Turner [Ballot Position Update] Position for Sean Turner has been changed to No Objection from Discuss by Sean Turner
2010-08-13
11 Amy Vezza Document went into Last Call on August 10, 2010, and ends Last Call on August 24, 2010.  See http://www.ietf.org/mail-archive/web/ietf-announce/current/msg07768.html for the archive of the announcement.
2010-08-13
11 Amy Vezza Last call sent
2010-08-13
11 Amy Vezza State changed to In Last Call from Last Call Requested by Amy Vezza
2010-08-11
11 Michelle Cotton IANA 2nd Last Call Comments:

We understand this document to still have no IANA actions.
2010-08-10
11 Tim Polk Last Call was requested by Tim Polk
2010-08-10
11 Tim Polk State changed to Last Call Requested from IESG Evaluation::AD Followup by Tim Polk
2010-08-02
11 Peter Saint-Andre [Ballot Position Update] Position for Peter Saint-Andre has been changed to No Objection from Discuss by Peter Saint-Andre
2010-07-26
11 (System) Sub state has been changed to AD Follow up from New Id Needed
2010-07-26
10 (System) New version available: draft-ietf-pkix-certimage-10.txt
2010-07-16
11 (System) Removed from agenda for telechat - 2010-07-15
2010-07-15
11 Cindy Morgan State Changes to IESG Evaluation::Revised ID Needed from IESG Evaluation by Cindy Morgan
2010-07-15
11 Sam Weiler Request for Last Call review by SECDIR Completed. Reviewer: Patrick Cain.
2010-07-15
11 Tim Polk State Changes to IESG Evaluation from Waiting for AD Go-Ahead by Tim Polk
2010-07-15
11 Adrian Farrel [Ballot comment]
I was disappointed to find that this draft has nothing to do with
reliability of magicians.
2010-07-15
11 Adrian Farrel [Ballot Position Update] New position, No Objection, has been recorded by Adrian Farrel
2010-07-15
11 Ralph Droms
[Ballot comment]
Nit: OK, so I've learned to live with (or at least stop complaining about) the citation syntax "... as defined in [RFC FOO]" …
[Ballot comment]
Nit: OK, so I've learned to live with (or at least stop complaining about) the citation syntax "... as defined in [RFC FOO]" because of the availability of hyperlinks (in some representations) and the convenience of clicking through to the cited reference.  But I can't parse this syntax: "...to that [RFC5280] certificate...".  Is "[RFC5280]" an adjective describing a kind of certificate?
2010-07-15
11 Ralph Droms
[Ballot discuss]
After a little reflection, I decided to change this point to a DISCUSS...

Following up on Peter's first DISCUSS point, without additional description …
[Ballot discuss]
After a little reflection, I decided to change this point to a DISCUSS...

Following up on Peter's first DISCUSS point, without additional description of how the information that might be represented in the certimage, I don't understand how these points from the Security Considerations might be enforced:

  A bad performing CA may for example;

      - include information in graphical form that is in conflict with
        information in provided text based attributes or other name
        forms

Another nit: s/;/:/ above.

  Certificates, and hence their cert images, are commonly public
  objects and as such usually will not not contain privacy sensitive
  information.  However, when a cert image that is referenced from a
  certificate contains privacy sensitive information appropriate
  security controls should be in place to protect the privacy of that
  information. Details of such controls are outside the scope of this
  document.
2010-07-15
11 Ralph Droms [Ballot Position Update] Position for Ralph Droms has been changed to Discuss from No Objection by Ralph Droms
2010-07-15
11 Ralph Droms [Ballot Position Update] New position, No Objection, has been recorded by Ralph Droms
2010-07-15
11 Ralph Droms
[Ballot comment]
Nit: OK, so I've learned to live with (or at least stop complaining about) the citation syntax "... as defined in [RFC FOO]" …
[Ballot comment]
Nit: OK, so I've learned to live with (or at least stop complaining about) the citation syntax "... as defined in [RFC FOO]" because of the availability of hyperlinks (in some representations) and the convenience of clicking through to the cited reference.  But I can't parse this syntax: "...to that [RFC5280] certificate...".  Is "[RFC5280]" an adjective describing a kind of certificate? 

Following up on Peter's first DISCUSS point, without additional description of how the information that might be represented in the certimage, I don't understand how these points from the Security Considerations might be enforced:

  A bad performing CA may for example;

      - include information in graphical form that is in conflict with
        information in provided text based attributes or other name
        forms

Another nit: s/;/:/ above.

  Certificates, and hence their cert images, are commonly public
  objects and as such usually will not not contain privacy sensitive
  information.  However, when a cert image that is referenced from a
  certificate contains privacy sensitive information appropriate
  security controls should be in place to protect the privacy of that
  information. Details of such controls are outside the scope of this
  document.
2010-07-15
11 Gonzalo Camarillo [Ballot Position Update] New position, No Objection, has been recorded by Gonzalo Camarillo
2010-07-14
11 Ron Bonica [Ballot Position Update] New position, No Objection, has been recorded by Ron Bonica
2010-07-14
11 David Harrington [Ballot Position Update] Position for David Harrington has been changed to No Objection from Discuss by David Harrington
2010-07-14
11 Peter Saint-Andre [Ballot comment]
1. There are many violations of subject-verb agreement, such as "Images incorporated according to RFC 3709 provides" (instead of "provide").
2010-07-14
11 Peter Saint-Andre
[Ballot discuss]
1. What in the world is "a visual representation of a certificate"? This notion is not explained very clearly in the spec. Is …
[Ballot discuss]
1. What in the world is "a visual representation of a certificate"? This notion is not explained very clearly in the spec. Is it a company logo for the organization to which the cert was issued? Is it something like a "tag cloud"  that maps out the information contained in the cert? Is it a geeky form of kitten auth ? Is it whatever the issuer decides to include? Please explain this intriguing idea in more concrete terms or at least provide examples.

2. Memorability and therefore perhaps security would be enhanced if a visual representation were assigned by the relying party. This would result in something like a petname system  instead of using an issuer-imposed or even subject-created representation that is common to all relying parties. It might make sense to mention this alternate (or complementary) approach in the security considerations.
2010-07-14
11 Peter Saint-Andre [Ballot Position Update] New position, Discuss, has been recorded by Peter Saint-Andre
2010-07-14
11 Dan Romascanu
[Ballot discuss]
In Section 3:

The optional LogotypeImageInfo structure is defined in [RFC3709] and
  is included here for convenience:

      …
[Ballot discuss]
In Section 3:

The optional LogotypeImageInfo structure is defined in [RFC3709] and
  is included here for convenience:

      LogotypeImageInfo ::= SEQUENCE {
        type          [0] LogotypeImageType DEFAULT color,
        fileSize      INTEGER,  -- In octets
        xSize        INTEGER,  -- Horizontal size in pixels
        ySize        INTEGER,  -- Vertical size in pixels
        resolution    LogotypeImageResolution OPTIONAL,
        language      [4] IA5String OPTIONAL }  -- RFC 3066 Language Tag

Alexey already observed in a COMMENT that it looks useless to tag a logo image for language. Moreover, RFC 3709 is using the RFC 3066 Lamnguage Tag, while 3066 was obsolete by RFC 4646 which was later obsoleted by RFC 5646. I wonder if this would not rather cause problems than help.
2010-07-14
11 Dan Romascanu [Ballot Position Update] New position, Discuss, has been recorded by Dan Romascanu
2010-07-13
11 Robert Sparks
[Ballot comment]
Support Alexey's Discuss points regarding the mime type

Please consider an additional sentence or so at the start of the security considerations section …
[Ballot comment]
Support Alexey's Discuss points regarding the mime type

Please consider an additional sentence or so at the start of the security considerations section explicitly reinforcing that a CA needs to understand the security considerations section of 3709 before signing a certificate using this extension.
2010-07-13
11 Robert Sparks [Ballot Position Update] New position, No Objection, has been recorded by Robert Sparks
2010-07-13
11 Sean Turner
[Ballot discuss]
The -06 version added RFC 1952 as a normative reference.  This RFC is not in the DOWNREF registry (http://trac.tools.ietf.org/group/iesg/trac/wiki/DownrefRegistry) and (obviously) …
[Ballot discuss]
The -06 version added RFC 1952 as a normative reference.  This RFC is not in the DOWNREF registry (http://trac.tools.ietf.org/group/iesg/trac/wiki/DownrefRegistry) and (obviously) wasn't part of the IETF LC, which was on the -02 version.  A second abbreviated IETF LC is required to call out this DOWNREF.
2010-07-13
11 Sean Turner [Ballot Position Update] New position, Discuss, has been recorded by Sean Turner
2010-07-13
11 Alexey Melnikov
[Ballot comment]
1) 5. Embedded images

  The certificate image otherLogos type MAY be stored within the
  logotype extension using the "data" URL scheme …
[Ballot comment]
1) 5. Embedded images

  The certificate image otherLogos type MAY be stored within the
  logotype extension using the "data" URL scheme defined in RFC 2397
  [RFC2397] if the logotype image is provided through direct
  addressing, i.e. the image is referenced using the LogotypeDetails
  structure.

To clarify: this document doesn't update RFC 3709 to allow use of "data" in
    1) Community logotype
    2) Issuer organization logotype
    3) Subject organization logotype
?

2) 4.2. PNG

  If a certificate image is provided as a bit mapped image, the PNG
  [ISO15948] format SHOULD be used.

  PNG images are identified by the following mediaType in
  LogotypeDetails:

      image/png

It is a shame that there is no RFC that describe this MIME type. But this is not a problem of this document.


3) I have some small set of issues on RFC 3709, which would have been a COMMENT level material if I were to review it for IESG:

In Section 4.1 of RFC 3709:


In Section 4.1 of RFC 3709:

LogotypeImageInfo ::= SEQUENCE {
  type            [0] LogotypeImageType DEFAULT color,
  fileSize        INTEGER,  -- In octets
  xSize          INTEGER,  -- Horizontal size in pixels
  ySize          INTEGER,  -- Vertical size in pixels
  resolution      LogotypeImageResolution OPTIONAL,
  language        [4] IA5String OPTIONAL }  -- RFC 3066 Language Tag

I have to say that I don't see much point in tagging *images* with a language tag. If the image is in a format like PDF, then one would hope that language tagging is possible in the document itself. If the image is in a format like text/plain, then it is not really an image.

But I suppose this is mostly harmless, as long as any language tagging information in the media itself overrides this value.
So I think this is something that needs to be clarified if RFC 3709 is updated.

[...]

  When using indirect addressing, the URI (refStructURI) pointing to
  the external data structure MUST point to a binary file containing
  the DER encoded data with the syntax LogotypeData.  The referenced
  file name SHOULD include a file extension of "LTD".

This should have been a proper MIME type registration. I don't think it is possible to just register a file extension.
2010-07-13
11 Alexey Melnikov
[Ballot discuss]
This is a fine document and I generally support its publication:

3) I have some small set of issues on RFC 3709, …
[Ballot discuss]
This is a fine document and I generally support its publication:

3) I have some small set of issues on RFC 3709, which would have been DISCUSS level material if I were to review it for IESG. So this is DISCUSS DISCUSS (i.e. I want to discuss it with the rest of IESG):

In Section 4.1 of RFC 3709:

LogotypeDetails ::= SEQUENCE {
  mediaType      IA5String, -- MIME media type name and optional
                              -- parameters

The format of this field is not specified. This turned out to be an interop problem in some other similar cases.

  logotypeHash    SEQUENCE SIZE (1..MAX) OF HashAlgAndValue,
  logotypeURI    SEQUENCE SIZE (1..MAX) OF IA5String }

4) Process related issue: image/svg+xml MIME type is not registered in the IANA MIME type registry.

5) (Thanks to Robert)

In Section 5.2:

  The referenced SVG file MAY be provided in GZIP [RFC1952] compressed
  form as an SVGZ file according to section 1.2 in SVG 1.1 [SVG]. Hash
  over the SVGZ file is calculated over the decompressed SVG content
  with canonicalized EOL characters () as specified above.

This would require a separate MIME type registration. I don't think it is Ok to just reuse image/svg+xml.
2010-07-12
11 David Harrington [Ballot comment]
2010-07-12
11 David Harrington
[Ballot discuss]
4) in section 6, "Clients SHOULD parse ..." seems unclear as compare the MUST NOT langauge in the related section 4.2.

I think …
[Ballot discuss]
4) in section 6, "Clients SHOULD parse ..." seems unclear as compare the MUST NOT langauge in the related section 4.2.

I think this should say "Clients MUST parse ... and reject if ..."
2010-07-12
09 (System) New version available: draft-ietf-pkix-certimage-09.txt
2010-07-12
11 David Harrington
[Ballot comment]
1) in section 3, no explanation is given for why Resolution MUST NOT be specified.

2) in section 4.1, LogotypeDetails is used before …
[Ballot comment]
1) in section 3, no explanation is given for why Resolution MUST NOT be specified.

2) in section 4.1, LogotypeDetails is used before being defined (or referenced). I recommend moving the copied definitoon from section 5 to precede its first use.
2010-07-12
11 David Harrington
[Ballot discuss]
1) section TBD needs to be D. (It apparently is D'd in appendix A)

2) it is unclear which formats MUST be supported …
[Ballot discuss]
1) section TBD needs to be D. (It apparently is D'd in appendix A)

2) it is unclear which formats MUST be supported by a compliant implementation.

3) in section 5, the second Note says to be cautious. That is rather ambiguous. How does one "be cautious" about the size if the use is not necessary known? Please provide actionable advice.

4) in section 6, "Clients SHOULD parse ..." seems unclear as compare the MUST NOT langauge in the related section 4.2. Are there additional constraints about external data that must be followed, or should be followed? Where does one find a definitive list of what those constraints are?
2010-07-12
11 David Harrington [Ballot Position Update] New position, Discuss, has been recorded by David Harrington
2010-07-12
11 Russ Housley [Ballot Position Update] New position, Recuse, has been recorded by Russ Housley
2010-07-12
11 (System) State has been changed to Waiting for AD Go-Ahead from In Last Call by system
2010-07-11
11 Alexey Melnikov
[Ballot comment]
1) 5. Embedded images

  The certificate image otherLogos type MAY be stored within the
  logotype extension using the "data" URL scheme …
[Ballot comment]
1) 5. Embedded images

  The certificate image otherLogos type MAY be stored within the
  logotype extension using the "data" URL scheme defined in RFC 2397
  [RFC2397] if the logotype image is provided through direct
  addressing, i.e. the image is referenced using the LogotypeDetails
  structure.

To clarify: this document doesn't update RFC 3709 to allow use of "data" in
    1) Community logotype
    2) Issuer organization logotype
    3) Subject organization logotype
?

2) 4.2. PNG

  If a certificate image is provided as a bit mapped image, the PNG
  [ISO15948] format SHOULD be used.

  PNG images are identified by the following mediaType in
  LogotypeDetails:

      image/png

It is a shame that there is no RFC that describe this MIME type. But this is not a problem of this document.


3) I have some small set of issues on RFC 3709, which would have been a COMMENT level material if I were to review it for IESG:

In Section 4.1 of RFC 3709:

LogotypeImageInfo ::= SEQUENCE {
  type            [0] LogotypeImageType DEFAULT color,
  fileSize        INTEGER,  -- In octets
  xSize          INTEGER,  -- Horizontal size in pixels
  ySize          INTEGER,  -- Vertical size in pixels
  resolution      LogotypeImageResolution OPTIONAL,
  language        [4] IA5String OPTIONAL }  -- RFC 3066 Language Tag

I have to say that I don't see much point in tagging *images* with a language tag. If the image is in a format like PDF, then one would hope that language tagging is possible in the document itself. If the image is in a format like text/plain, then it is not really an image.

But I suppose this is mostly harmless, as long as any language tagging information in the media itself overrides this value.
So I think this is something that needs to be clarified if RFC 3709 is updated.
2010-07-11
11 Alexey Melnikov
[Ballot discuss]
This is a fine document and I generally support its publication:

1) In Section 4 and subsections: It looks like PDF and SVG …
[Ballot discuss]
This is a fine document and I generally support its publication:

1) In Section 4 and subsections: It looks like PDF and SVG are MAY level requirements and PNG is a SHOULD level requirement. Is there a mandatory-to-implement format?

2) In Section 5:

  The syntax of the "data" URL Scheme defined in RFC 2397 is included
  here for convenience:

        dataurl    := "data:" [ mediatype ] [ ";base64" ] "," data
        mediatype  := [ type "/" subtype ] *( ";" parameter ) data   
          := *urlchar parameter  := attribute "=" value

You have a formatting error here, this doesn't look like a valid BNF.

3) I have some small set of issues on RFC 3709, which would have been DISCUSS level material if I were to review it for IESG. So this is DISCUSS DISCUSS:

In Section 4.1 of RFC 3709:

LogotypeDetails ::= SEQUENCE {
  mediaType      IA5String, -- MIME media type name and optional
                              -- parameters

The format of this field is not specified. This turned out to be an interop problem in some other similar cases.

  logotypeHash    SEQUENCE SIZE (1..MAX) OF HashAlgAndValue,
  logotypeURI    SEQUENCE SIZE (1..MAX) OF IA5String }

[...]

  When using indirect addressing, the URI (refStructURI) pointing to
  the external data structure MUST point to a binary file containing
  the DER encoded data with the syntax LogotypeData.  The referenced
  file name SHOULD include a file extension of "LTD".

This should have been a proper MIME type registration. I don't think it is possible to just register a file extension.
2010-07-11
11 Alexey Melnikov [Ballot Position Update] New position, Discuss, has been recorded by Alexey Melnikov
2010-07-09
11 Amanda Baber IANA comments:

As described in the IANA Considerations section, we understand this
document to have NO IANA Actions.
2010-07-09
11 Stewart Bryant [Ballot Position Update] New position, No Objection, has been recorded by Stewart Bryant
2010-07-09
11 Tim Polk Ballot has been issued by Tim Polk
2010-07-09
11 Tim Polk [Ballot Position Update] New position, Yes, has been recorded for Tim Polk
2010-07-09
11 Tim Polk Ballot has been issued by Tim Polk
2010-07-09
11 Tim Polk Created "Approve" ballot
2010-07-09
11 Tim Polk Placed on agenda for telechat - 2010-07-15 by Tim Polk
2010-06-29
11 Sam Weiler Request for Last Call review by SECDIR is assigned to Patrick Cain
2010-06-29
11 Sam Weiler Request for Last Call review by SECDIR is assigned to Patrick Cain
2010-06-28
11 Amy Vezza State Changes to In Last Call from Last Call Requested by Amy Vezza
2010-06-25
11 Tim Polk Last Call was requested by Tim Polk
2010-06-25
11 (System) Ballot writeup text was added
2010-06-25
11 (System) Last call text was added
2010-06-25
11 (System) Ballot approval text was added
2010-06-25
11 Tim Polk State Changes to Last Call Requested from Publication Requested by Tim Polk
2010-06-01
11 Tim Polk [Note]: 'Steve Kent is the document shepherd <kent@bbn.com>' added by Tim Polk
2010-06-01
11 Tim Polk
  (1.a) Who is the Document Shepherd for this document?

        Has the Document Shepherd personally reviewed this version of
    …
  (1.a) Who is the Document Shepherd for this document?

        Has the Document Shepherd personally reviewed this version of
          the document and, in particular, does he or she believe this
          version is ready for forwarding to the IESG for publication?

Steve Kent is the document shepherd for this document, and I have personally reviewed this version of the document and believe this version is ready for forwarding to the IESG for publication.

    (1.b) Has the document had adequate review both from key WG members
          and from key non-WG members? Does the Document Shepherd have
          any concerns about the depth or breadth of the reviews that
          have been performed?

The document has received adequate review from key WG members. This draft has also been reviewed by independent implementers as well as from members of the ETSI standards community, which is very supportive of this work.

    (1.c) Does the Document Shepherd have concerns that the document
          needs more review from a particular or broader perspective,
          e.g., security, operational complexity, someone familiar with
          AAA, internationalization or XML?

No.

    (1.d) Does the Document Shepherd have any specific concerns or
          issues with this document that the Responsible Area Director
          and/or the IESG should be aware of? For example, perhaps he
          or she is uncomfortable with certain parts of the document, or
          has concerns whether there really is a need for it. In any
          event, if the WG has discussed those issues and has indicated
          that it still wishes to advance the document, detail those
          concerns here. Has an IPR disclosure related to this document
          been filed? If so, please include a reference to the
          disclosure and summarize the WG discussion and conclusion on
          this issue.

There are no specific concerns to highlight to the AD or IESG. I am aware of no IPR disclosures that have been filed related to this document.

    (1.e) How solid is the WG consensus behind this document? Does it
          represent the strong concurrence of a few individuals, with
          others being silent, or does the WG as a whole understand and
          agree with it?

The technical aspects of this document represents rough consensus of active WG members. The document, which is fairly brief, was discussed on the PKIX list over the course of about 10 months (over 270 messages). The authors made a number of changes in response to comments from WG members. As a result of these changes, I believe that the substantive objections were addressed. A few folks still object to this document, but their objections do not seem reasonable to me, as the cognizant WG co-chair.


    (1.f) Has anyone threatened an appeal or otherwise indicated extreme
          discontent? If so, please summarize the areas of conflict in
          separate email messages to the Responsible Area Director. (It
          should be in a separate email because this questionnaire is
          entered into the ID Tracker.)

Yes. Paul Hoffman has threatened to appeal, on procedural grounds. Specifically, Paul feels that I improperly declared consensus based on analysis of list comments over the last 3 months of discussion, vs. just those comments that were posted during the 2-week WGLC.

    (1.g) Has the Document Shepherd personally verified that the
          document satisfies all ID nits? (See
        http://www.ietf.org/ID-Checklist.html and
        http://tools.ietf.org/tools/idnits/). Boilerplate checks are not enough; this check needs to be thorough. Has the document met all formal review criteria it needs to, such as the MIB Doctor, media type and URI type reviews?

Yes. There is one normative down reference, to an informational RFC defining GZIP, but I think this is an allowable exception, given the context.

    (1.h) Has the document split its references into normative and
          informative? Are there normative references to documents that
          are not ready for advancement or are otherwise in an unclear
          state? If such normative references exist, what is the
          strategy for their completion? Are there normative references
          that are downward references, as described in [RFC3967]? If
          so, list these downward references to support the Area
          Director in the Last Call procedure for them [RFC3967].

References have been split into normative and informative sections.

    (1.i) Has the Document Shepherd verified that the document IANA
          consideration section exists and is consistent with the body
          of the document? If the document specifies protocol
          extensions, are reservations requested in appropriate IANA
          registries? Are the IANA registries clearly identified? If
          the document creates a new registry, does it define the
          proposed initial contents of the registry and an allocation
          procedure for future registrations? Does it suggest a
          reasonable name for the new registry? See [RFC5226]. If the
          document describes an Expert Review process has Shepherd
          conferred with the Responsible Area Director so that the IESG
          can appoint the needed Expert during the IESG Evaluation?

The I-D has an IANA Considerations section stating that this document requires no actions by IANA.

    (1.j) Has the Document Shepherd verified that sections of the
          document that are written in a formal language, such as XML
          code, BNF rules, MIB definitions, etc., validate correctly in
          an automated checker?

I have been informed that the ASN.1 modules provided in this document have been compiled and tested separately by Jim Schaad, the PKIX ASN expert.

    (1.k) The IESG approval announcement includes a Document
          Announcement Write-Up. Please provide such a Document
          Announcement Write-Up? Recent examples can be found in the
          "Action" announcements for approved documents. The approval
          announcement contains the following sections:

          Technical Summary
            Relevant content can frequently be found in the abstract
            and/or introduction of the document. If not, this may be
            an indication that there are deficiencies in the abstract
            or introduction.

          Working Group Summary
            Was there anything in WG process that is worth noting? For
            example, was there controversy about particular points or
            were there decisions where the consensus was particularly
            rough?

          Document Quality
            Are there existing implementations of the protocol? Have a
            significant number of vendors indicated their plan to
            implement the specification? Are there any reviewers that
            merit special mention as having done a thorough review,
            e.g., one that resulted in important changes or a
            conclusion that the document had no substantive issues? If
            there was a MIB Doctor, Media Type or other expert review,
            what was its course (briefly)? In the case of a Media Type
            review, on what date was the request posted?

Technical Summary

RFC 3709 defines a way to bind a logo or analogous image to a certificate,
to aid human interpretation of a certificate by providing meaningful visual information to the user interface. This document specifies three new encodings for visual representations, as an extension of RFC 3709, using the otherLogos extension capability of that RFC. Thus it represents an incremental change to the fundamental capability provided by 3709.

Work Group Summary

This draft went through two WG last calls. At the first WGLC this document generated a fairly large amount of discussion where several WG members voiced security concerns as well as concerns whether the problem addressed by this draft requires a solution or whether this problem would be better served by another solution. These security concerns were addressed as a result of changes made after the first WGLC. The residual objection that was raised by a few individuals (during the second WGLC) is whether this solution is will be successful, i.e., deployed. (We have seen no deployment of certificates with the 3709 extension, nor are we aware of code to make use of this extension in relying party software. Thus the objection raised by a few individuals is essentially of the form “the base RFC was not deployed, and we believe that these extensions will not help.”) Several major implementers have stated their support for the current draft. Support has also been voiced from representatives of the ETSI standardization community as this draft is needed as standard for ETSI standardization work that is to be concluded this year. Thus I believe that it is appropriate to progress this work.

Document Quality

The document is brief and reasonably clearly written.
2010-06-01
11 Tim Polk Draft Added by Tim Polk in state Publication Requested
2010-06-01
11 Tim Polk [Note]: 'Steve Kent is the document shepherd ' added by Tim Polk
2010-03-25
08 (System) New version available: draft-ietf-pkix-certimage-08.txt
2010-03-24
07 (System) New version available: draft-ietf-pkix-certimage-07.txt
2010-02-18
06 (System) New version available: draft-ietf-pkix-certimage-06.txt
2010-02-17
05 (System) New version available: draft-ietf-pkix-certimage-05.txt
2009-12-04
04 (System) New version available: draft-ietf-pkix-certimage-04.txt
2009-11-11
03 (System) New version available: draft-ietf-pkix-certimage-03.txt
2009-11-11
02 (System) New version available: draft-ietf-pkix-certimage-02.txt
2009-08-25
01 (System) New version available: draft-ietf-pkix-certimage-01.txt
2009-05-15
00 (System) New version available: draft-ietf-pkix-certimage-00.txt