There has been a bunch of noise recently about the new Extended Validation concept for Certificate Authorities.
This is something that I was involved in before I left the Windows Security Team and it’s something I want to blog on later but today I want to talk about a concept that Extended Validation actually enables.
It’s something called LogoTypes, LogoTypes are a extension you can put into a certificate that (amongst other things) points to a URL where a image can be retrieved, along with that URL there is a hash of the object at the end of the URL.
The idea is that the issuer would only include these URLs if they have verified entitlement to the logo, this may include doing a trademark search, and many other things.
The LogoType specification (RFC 3709) allows for the issuer to specify three different classes of logos, these include:
Subject Organization:
Community:
Issuer Organization:
Why should we care about this? Well at first I thought Stephan (the author of this standard) was nuts, the last thing we need in certificates is more extensions especially images (which can actually be embedded in the certificates containing this extension). But with that being said I am a convert, there are lots of reasons to include this information one of which is that people are often visual and companies spend lots of energy educating consumers about their brand.
We can leverage this fact to create more user friendly and informative experiences involving certificates that can help users identify if a site is really the one they think it is, as an example here is what the Trust Badge in IE7 might look like if it were to include the subject organization logo:
In VISTA I worked with the folks in the Windows Security team to introduce a new API that makes consuming these new certificate extensions EASY, it’s called CertRetrieveLogoOrBioMetricInfo.
This API downloads the object, verifies it and gives you the result of those operations this way you don’t have to deal with the actual signature verification problems on your own.
You will notice that the API also can retrieve values from the BioMetricInfo extension, this is a extension from the standard for Qualified Certificate Profile (RFC 3039); particularly this allows the issuer to include a picture of the subject or a scanned copy of the subjects signature.
The assumption is that if you do a in-person proofed certificate request (like the acquisition of a passport) the image that was captured as part of that process could in-effect be embedded into the certificate.
With this information you could build a contact picker that shows the real picture (optionally), or maybe integrate the information into a signature viewer so you can see a visual of who really signed something (was it this Ryan Hurst or the me?).
Now there are disclosure problems with the inclusion of BioMetricInfo extensions in certificates and not many certificates are actually in-person-proofed with signatures and photos so were not likely to see this in lots of certificates in the future but it is supported in CryptoAPI so the environments that do have this information can take advantage of it.
I am really excited to see applications start to take advantage of this un-sung hero that snuck into CryptoAPI during VISTA (Which is done BTW!!)
Ryan