Title
- Secure Internet Letterhead
Goals
Secure Internet Letterhead addresses the following goals:
- User awareness of security information
- Reliable presentation of security information
- Reduce the number of scenarios in which users need to make trust decisions
- Best practices for other media
Overview
Secure Internet Letterhead allows Web User Agents brand logo of a certificate issuer, subject and/or communit(ies) within a framework that establishes accountability and hence trustworthiness.
Applicability
This requirement is applicable to Web User Agents that are capable of displaying bitmap graphics, and use a visual viewport to communicate trust information to users.
Good Practice
Web User Agents SHOULD be capable of presenting Secure Internet Letterhead in a manner that is not vulnerable to simulation by a content attack when the security conditions described in the requirement section below are met.
Requirement
Web User Agents MUST NOT present Secure Internet Letterhead or present content in a manner that might be mistaken for Secure Internet Letterhead unless the logo information has been verified as being accredited by a trusted and trustworthy source.
Techniques
The use of the PKIX Logotype extension within an X.509v3 certificate is preferred. In the case of a subject or community logo the certificate should at a minimum meet the level of trustworthiness established by the EV certificate guidelines.
Dependencies
Secure Internet Letterhead depends upon the SSL server certificate chain information and in particular the presence of a certificate issuer specific certificate policy extension OID for EV and a PKIX LOGOTYPE extension.
Examples
Use-cases
Secure Internet Letterhead addresses essentially the same use cases as for EV. The difference is that Secure Internet Letterhead provides a more direct connection to the frrame of reference in which the typical user evaluates trust decisions (i.e. brands as opposed to names).
As such the presentation of the Secure Internet Letterhead information requires certificate issuers to and make the utmost effort to ensure the reliability and trustworthiness of the information they present.
Attack resistance and limitations
Secure Letterhead logos may be ambiguous. A user may see the logo of brand A and confuse it for brand B. This leads to two distinct situations.
In the first case brand A is presented by a legitimate business which may or may not have the legal right to present itself in a manner that causes confusion. It is incumbent on brand B to chose a logo that is distinctive and defensible in the case that it is necessary to make a court challenge. It is incumbent on brand A to ensure that its choice of logo does not infringe on the rights of others.
In the second case brand A is not a legitimate business and is impersonating brand B for an overt criminal purpose. The accreditation practices of the certificate issuer MUST be designed to ensure that there is a very high degree of probability that a party that makes such a fraudulent can be identified and held accountable.
Usability Effect
Expected User behavior
The expected user behavior is similar to that of EV except that:
* A first time user who decides that they require additional assurance MAY look at the secondary chrome dialogue to determine which community logos are presented. For example Alice may want to know if her bank is FDIC insured on her first visit but is unlikely to require this on subsequent visits. * A frequent visitor to the site MAY be expected to look for the letterhead as the primary indication that the intended site is being visited. * The letterhead concept is intended to be ubiquitous and apply to every mode of Internet communication.
Disruption
As with EV, Secure Internet Letterhead does not mandate a user experience. It is however entirely possible to porovide a non-intrusive user experience.
Accessibility
The information provided by Secure Internet Letterhead is in addition to the information already provided in an X.509v3 certificate and not a substitute. Browsers designed for use by blind and partially sighted users should consider employing the existing X.509v3 subject and issuer information instead. Certificate issuers should provide an accessible means of entering community accreditation information.
Although the PKIX Logotype specification describes the presentation of audio instead of images the use of this information is problematic due to the lack of a consistent and comprehensive use of audible brands.
References
[RecommendationDisplayProposals/EVCerts Extended Validation Certificates]