INTERNET-DRAFT                           Stefan Santesson (3xA Security)
Intended Status: Proposed Standard         Russ Housley (Vigil Security)
Updates: 3709 (once approved)                 Siddharth Bajaj (VeriSign)
Expires: May 15, 2010                          Leonard Rosenthol (Adobe)
                                                       November 11, 2009


      Internet X.509 Public Key Infrastructure - Certificate Image
                     <draft-ietf-pkix-certimage-02>


Status of this Memo

   This Internet-Draft is submitted to IETF in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as Internet-
   Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/1id-abstracts.html

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html


Copyright and License Notice

   Copyright (c) 2009 IETF Trust and the persons identified as the
   document authors. All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document. Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document. Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the BSD License.

 


Santesson et all.         Expires May 15, 2010                  [Page 1]

INTERNET DRAFT             Certificate Image           November 11, 2009


Abstract

   This document specifies a method to bind a visual representation of a
   certificate in the form of a certificate image to a [RFC5280] public
   key certificate by defining a new otherLogos image type according to
   [RFC3709].



Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . . . 3
      1.2  Terminology . . . . . . . . . . . . . . . . . . . . . . . . 4
   2  Certificate Image  . . . . . . . . . . . . . . . . . . . . . . . 5
   3 LogotypeImageInfo . . . . . . . . . . . . . . . . . . . . . . . . 5
   4  Certificate Image Formats  . . . . . . . . . . . . . . . . . . . 6
      4.1 PDF  . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
      4.2 SVG  . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
      4.2 PNG  . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
   5  Embedded images  . . . . . . . . . . . . . . . . . . . . . . . . 7
   6  Security Considerations  . . . . . . . . . . . . . . . . . . . . 9
   7  IANA Considerations  . . . . . . . . . . . . . . . . . . . . . . 9
   8  References . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
      8.1 Normative References . . . . . . . . . . . . . . . . . . . . 9
      8.2 Informative References . . . . . . . . . . . . . . . . . .  10
   Appendix A - data: URI example  . . . . . . . . . . . . . . . . .  11
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  15





















 


Santesson et all.         Expires May 15, 2010                  [Page 2]

INTERNET DRAFT             Certificate Image           November 11, 2009


1.  Introduction


   This standard specifies how to bind a Certificate Image, providing a
   visual representation of a certificate, to that [RFC5280] certificate
   using the Logotype extension defined in [RFC3709], specifying the
   Certificate Image as a new otherLogos type.

   The purpose of the Certificate image is to aid human interpretation
   of a certificate by providing meaningful visual information to the
   user interface.

   Typical situations when a human needs to examine the visual
   representation of a certificate are:

      - A person establishes secured channel with an authenticated
      service. The person needs to determine the identity of the service
      based on the authenticated credentials.

      - A person validates the signature on critical information, such
      as signed executable code, and needs to determine the identity of
      the signer based on the signer's certificate.

      - A person is required to select an appropriate certificate to be
      used when authenticating to a service or Identity Management
      infrastructure. The person needs to see the available certificates
      in order to distinguish between them in the selection process.


   Display of a certificate information to humans is challenging due to
   lack of well defined semantics for critical identity attributes.
   Unless the application has out of band knowledge about a particular
   certificate, the application will not know the exact nature of the
   data stored in common identification attributes such as serialNumber,
   organizationName, country, etc. Consequently the application can
   display the actual data, but faces problem to label that data in the
   UI, informing the human about the exact nature (semantics) of that
   data. It is also challenging for the application to determine which
   identification attribute that are important to display and how to
   organize them in a logical order.

   RFC 3709 [RFC3709] defines a certificate extension for binding images
   to a certificate, such as community logo and issuer logo, enhancing
   display of certificate information. The syntax is extensible and
   allows inclusion of new image types using the other-Logos structure.
   This standard defines how to include a complete certificate image
   using the extensibility mechanism of RFC 3709.

 


Santesson et all.         Expires May 15, 2010                  [Page 3]

INTERNET DRAFT             Certificate Image           November 11, 2009


1.2  Terminology

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in [RFC2119].











































 


Santesson et all.         Expires May 15, 2010                  [Page 4]

INTERNET DRAFT             Certificate Image           November 11, 2009


2  Certificate Image

   This section defines the Certificate Image as a new otherLogos type
   according to section 4.1 of [RFC3709].

   The Certificate Image otherLogos type is identified by the Object
   Identifier (OID) id-logo-certimage.

      id-pkix  OBJECT IDENTIFIER  ::=
           { iso(1) identified-organization(3) dod(6) internet(1)
           security(5) mechanisms(5) pkix(7) }

      id-logo OBJECT IDENTIFIER ::= { id-pkix 20 }

      id-logo-certimage OBJECT IDENTIFIER ::= { id-logo TBD }

   //* Note: TBD is to be replaced by a real OID before publication of
   this draft *//

   When present the Certificate Image MUST represent a complete visual
   representation of the certificate. This means that the display of
   this certificate image represents all information about the
   certificate that the issuer subjectively defines as relevant to show
   a typical human user within the typical intended use of the
   certificate, giving adequate information about at least the following
   three aspects of the certificate:

      - Certificate Context
      - Certificate Issuer
      - Certificate Subject

   Certificate Context information is visual marks and/or textual
   information which helps the typical user to understand the typical
   usage and/or purpose of the certificate

   It is up to the issuer to decide what information in the form of text
   and graphical symbols and elements, which represents a complete
   visual representation of the certificate.

   Applications providing a Graphical User Interface (GUI) to the
   certificate user MAY present a Certificate Image according to this
   standard in any given application interface, as the only visual
   representation of a certificate.

3 LogotypeImageInfo

   The optional LogotypeImageInfo structure is defined in [RFC3709] and
   is included here for convenience:
 


Santesson et all.         Expires May 15, 2010                  [Page 5]

INTERNET DRAFT             Certificate Image           November 11, 2009


      LogotypeImageInfo ::= SEQUENCE {
        type          [0] LogotypeImageType DEFAULT color,
        fileSize      INTEGER,  -- In octets
        xSize         INTEGER,  -- Horizontal size in pixels
        ySize         INTEGER,  -- Vertical size in pixels
        resolution    LogotypeImageResolution OPTIONAL,
        language      [4] IA5String OPTIONAL }  -- RFC 3066 Language Tag

   When the optional LogotypeImageInfo is included with a certificate
   image, the parameters shall be used with the following semantics and
   restrictions.

   xSize and ySize represents recommended display size for the image.
   When a value of 0 (zero) is present, no recommended display size
   specified. When non-zero values are present and these values differ
   from corresponding size values in the referenced image file, then the
   referenced image SHOULD be scaled to fit within the size parameters
   of LogotypeImageInfo, while keeping x and y ratio intact.

   Resolution MUST NOT be specified.


4  Certificate Image Formats

4.1 PDF

   A Certificate Image MAY be provided in the form of a Portable
   Document Format (PDF) document according to [ISO32000] following the
   conventions defined in this section. When a certificate image is
   formatted as a PDF document, it MUST also be formatted according to
   the profile PDF/A [ISO19005].

   When including a PDF document as Certificate Image, the following
   MIME media type as specified in [RFC3778] MUST be used as mediaType
   in LogotypeDetails:

      application/pdf

4.2 SVG

   A Certificate Image MAY be provided in the form of a Scalable Vector
   Graphic (SVG) image, which MUST follow the SVG Tiny profile [SVGT1.2]

   The following MIME media type defined in Appendix M of [SVGT1.2] MUST
   be used as mediaType in LogotypeDetails for SVG images:

      image/svg+xml

 


Santesson et all.         Expires May 15, 2010                  [Page 6]

INTERNET DRAFT             Certificate Image           November 11, 2009


   The SVG image file MUST NOT incorporate any external image data by
   reference to an external SVG document, or by reference to an external
   media source other than SVG. Doing so would incorporate image data
   that is not covered by the logotypeHash value of the image.
   Certificate using applications MUST reject any image that violates
   this rule.

   The XML structure in the SVG file MUST use <LF> (linefeed 0x0A) as
   end-of-line (EOL) character when calculating the hash over the SVG
   file. The referenced SVG file may be provided in compressed form, for
   example as SVG.GZ or SVGZ. It is outside the scope of this
   specification to specify any such compression algorithm. However,
   after decompression the EOL characters of the SVG file MUST be
   normalized according to this section before computing the hash of the
   SVG file.

4.2 PNG

   If a certificate image is provided as a bit mapped image, the PNG
   [ISO15948] format SHOULD be used.

   PNG images are identified by the following mediaType in
   LogotypeDetails:

      image/png

5  Embedded images

   The certificate image otherLogos type MAY be stored within the
   logotype extension using the "data" URL scheme defined in RFC 2397
   [RFC2397] if the logotype image is provided through direct
   addressing, i.e. the image is referenced using the LogotypeDetails
   structure.

   The syntax of Logotype details defined in RFC 3709 is included here
   for convenience:

      LogotypeDetails ::= SEQUENCE {
         mediaType       IA5String, -- MIME media type name and optional
                                    -- parameters
         logotypeHash    SEQUENCE SIZE (1..MAX) OF HashAlgAndValue,
         logotypeURI     SEQUENCE SIZE (1..MAX) OF IA5String }






 


Santesson et all.         Expires May 15, 2010                  [Page 7]

INTERNET DRAFT             Certificate Image           November 11, 2009


   When including the image data in the logotype extension using the
   "data" URL scheme the following conventions apply.

      -  the value of mediaType MUST be identical to the mediatype value
         in the "data:" URL.
      -  The hash of the image MUST be included in logotypeHash and MUST
         be calculated over the same data as it would have been, had the
         image been referenced through a link to an external resource.



   Note: As the "data:" URL scheme is processed as a data source rather
         than as a URL, the image data is typically not limited by any
         URL length limit setting that otherwise apply to URLs in
         general.

   Note: Implementations need to be cautious about the the size of
         images included in a certificate in order to ensure that the
         size of the certificate does not prevent the certificate to be
         used as intended.




























 


Santesson et all.         Expires May 15, 2010                  [Page 8]

INTERNET DRAFT             Certificate Image           November 11, 2009


6  Security Considerations

   The security considerations of [RFC3709] apply also to this standard.

   This standard makes it possible for a CA to issue a certificate with
   a Certificate Image that is in conflict with other data included in
   the certificate without the relying party application being able to
   detect the delta.

   A relying party application MUST decide that the certificate is valid
   and trustworthy enough to provide a Certificate Image before using
   it.

   Referenced image files are hashed in order to bind the image to the
   signature of the certificate. Some image types, such as SVG allow
   part of the image to be collected from external source by
   incorporating a reference to an external image file. If this feature
   were used within a certificate image file, the hash of the image file
   would only cover the URI reference to the external image file, but
   not the referenced image data. To ensure that the hash of the
   certificate image covers the whole image, implementations of this
   standard MUST reject images that incorporate parts of the image by
   reference to external image files.

   CAs issuing certificate with embedded certificate images should be
   cautious when accepting graphics from the certificate requestor for
   inclusion in the certificate if the hash algorithm used to sign the
   certificate is vulnerable to collision attacks. In such case the
   accepted image may contain data that could help an attacker to obtain
   colliding certificates with identical certificate signatures.


7  IANA Considerations

   This document requires no actions from IANA.


8  References

8.1 Normative References

   [RFC2119]  S. Bradner, "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119, March 1997

   [RFC5280]  Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
              Housley, R., and W. Polk, "Internet X.509 Public Key
              Infrastructure Certificate and Certificate Revocation List
              (CRL) Profile", RFC 5280, May 2008
 


Santesson et all.         Expires May 15, 2010                  [Page 9]

INTERNET DRAFT             Certificate Image           November 11, 2009


   [RFC3709]  S. Santesson, R. Housley, T. Freeman, "Internet X.509
              Public Key Infrastructure Logotypes in X.509
              Certificates", RFC 3709, February 2004

   [RFC2397]  L. Masinter, 'The "data" URL scheme' RFC 2397, August 1998

   [ISO32000] ISO 32000-1:2008, "Document management - Portable document
              format" -- Part 1: PDF 1.7, April 2008

   [ISO19005] ISO 19005-1:2005, "Document Management - Electronic
              document file format for long term preservation - Part 1:
              Use of PDF 1.4 (PDF/A-1)", 2005

   [ISO15948] ISO/IEC 15948:2004, "Information technology - Computer
              graphics and image processing -- Portable Network Graphics
              (PNG): Functional specification", 2004

   [SVGT1.2]  W3C Recommendation, "Scalable Vector Graphics (SVG) Tiny
              1.2 Specification", December 2008


8.2 Informative References

   [RFC3778]  E. Taft, J. Pravetz, S. Zilles, L. Masinter "The
              application/pdf Media Type", RFC 3778, May 2004























 


Santesson et all.         Expires May 15, 2010                 [Page 10]

INTERNET DRAFT             Certificate Image           November 11, 2009


Appendix A - data: URI example

 The following example stores an embedded SVG image using the data: URI
 scheme.

 data:image/svg+xml;base64,
 PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiIHN0YW5kYWxvbmU9
 Im5vIj8+DQo8IS0tIENyZWF0ZWQgd2l0aCBJbmtzY2FwZSAoaHR0cDovL3d3dy5p
 bmtzY2FwZS5vcmcvKSAtLT4NCjxzdmcNCiAgIHhtbG5zOmRjPSJodHRwOi8vcHVy
 bC5vcmcvZGMvZWxlbWVudHMvMS4xLyINCiAgIHhtbG5zOmNjPSJodHRwOi8vY3Jl
 YXRpdmVjb21tb25zLm9yZy9ucyMiDQogICB4bWxuczpyZGY9Imh0dHA6Ly93d3cu
 dzMub3JnLzE5OTkvMDIvMjItcmRmLXN5bnRheC1ucyMiDQogICB4bWxuczpzdmc9
 Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIg0KICAgeG1sbnM9Imh0dHA6Ly93
 d3cudzMub3JnLzIwMDAvc3ZnIg0KICAgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cu
 dzMub3JnLzE5OTkveGxpbmsiDQogICB4bWxuczpzb2RpcG9kaT0iaHR0cDovL3Nv
 ZGlwb2RpLnNvdXJjZWZvcmdlLm5ldC9EVEQvc29kaXBvZGktMC5kdGQiDQogICB4
 bWxuczppbmtzY2FwZT0iaHR0cDovL3d3dy5pbmtzY2FwZS5vcmcvbmFtZXNwYWNl
 cy9pbmtzY2FwZSINCiAgIGlkPSJzdmczNTUyIg0KICAgc29kaXBvZGk6dmVyc2lv
 bj0iMC4zMiINCiAgIGlua3NjYXBlOnZlcnNpb249IjAuNDYiDQogICB3aWR0aD0i
 NDAxIg0KICAgaGVpZ2h0PSI0MDEiDQogICB2ZXJzaW9uPSIxLjAiDQogICBzb2Rp
 cG9kaTpkb2NuYW1lPSJ0aWNrZXRmcmFtZS5zdmciDQogICBpbmtzY2FwZTpvdXRw
 dXRfZXh0ZW5zaW9uPSJvcmcuaW5rc2NhcGUub3V0cHV0LnN2Zy5pbmtzY2FwZSI+
 DQogIDxtZXRhZGF0YQ0KICAgICBpZD0ibWV0YWRhdGEzNTU3Ij4NCiAgICA8cmRm
 OlJERj4NCiAgICAgIDxjYzpXb3JrDQogICAgICAgICByZGY6YWJvdXQ9IiI+DQog
 ICAgICAgIDxkYzpmb3JtYXQ+aW1hZ2Uvc3ZnK3htbDwvZGM6Zm9ybWF0Pg0KICAg
 ICAgICA8ZGM6dHlwZQ0KICAgICAgICAgICByZGY6cmVzb3VyY2U9Imh0dHA6Ly9w
 dXJsLm9yZy9kYy9kY21pdHlwZS9TdGlsbEltYWdlIiAvPg0KICAgICAgPC9jYzpX
 b3JrPg0KICAgIDwvcmRmOlJERj4NCiAgPC9tZXRhZGF0YT4NCiAgPGRlZnMNCiAg
 ICAgaWQ9ImRlZnMzNTU1Ij4NCiAgICA8aW5rc2NhcGU6cGVyc3BlY3RpdmUNCiAg
 ICAgICBzb2RpcG9kaTp0eXBlPSJpbmtzY2FwZTpwZXJzcDNkIg0KICAgICAgIGlu
 a3NjYXBlOnZwX3g9IjAgOiA1MjYuMTgxMDkgOiAxIg0KICAgICAgIGlua3NjYXBl
 OnZwX3k9IjAgOiAxMDAwIDogMCINCiAgICAgICBpbmtzY2FwZTp2cF96PSI3NDQu
 MDk0NDggOiA1MjYuMTgxMDkgOiAxIg0KICAgICAgIGlua3NjYXBlOnBlcnNwM2Qt
 b3JpZ2luPSIzNzIuMDQ3MjQgOiAzNTAuNzg3MzkgOiAxIg0KICAgICAgIGlkPSJw
 ZXJzcGVjdGl2ZTM1NTkiIC8+DQogIDwvZGVmcz4NCiAgPHNvZGlwb2RpOm5hbWVk
 dmlldw0KICAgICBpbmtzY2FwZTp3aW5kb3ctaGVpZ2h0PSI3MzkiDQogICAgIGlu
 a3NjYXBlOndpbmRvdy13aWR0aD0iMTI4MCINCiAgICAgaW5rc2NhcGU6cGFnZXNo
 YWRvdz0iMiINCiAgICAgaW5rc2NhcGU6cGFnZW9wYWNpdHk9IjAuMCINCiAgICAg
 Z3VpZGV0b2xlcmFuY2U9IjEwLjAiDQogICAgIGdyaWR0b2xlcmFuY2U9IjEwLjAi
 DQogICAgIG9iamVjdHRvbGVyYW5jZT0iMTAuMCINCiAgICAgYm9yZGVyb3BhY2l0
 eT0iMS4wIg0KICAgICBib3JkZXJjb2xvcj0iIzY2NjY2NiINCiAgICAgcGFnZWNv
 bG9yPSIjZmZmZmZmIg0KICAgICBpZD0iYmFzZSINCiAgICAgc2hvd2dyaWQ9ImZh
 bHNlIg0KICAgICBpbmtzY2FwZTp6b29tPSIxLjE1MjExOTciDQogICAgIGlua3Nj
 YXBlOmN4PSIyMDAuNSINCiAgICAgaW5rc2NhcGU6Y3k9IjIwMC41Ig0KICAgICBp
 bmtzY2FwZTp3aW5kb3cteD0iLTkiDQogICAgIGlua3NjYXBlOndpbmRvdy15PSIt
 OSINCiAgICAgaW5rc2NhcGU6Y3VycmVudC1sYXllcj0ic3ZnMzU1MiIgLz4NCiAg
 PHBhdGgNCiAgICAgc3R5bGU9ImZpbGw6IzAwMDAwMCINCiAgICAgZD0iTSAzOC40
 NTczLDM5OC41IEMgMzguMjk4NzAxLDM5Ny45NSAzNy45MTcyMTEsMzk1LjA1Mzc2
 


Santesson et all.         Expires May 15, 2010                 [Page 11]

INTERNET DRAFT             Certificate Image           November 11, 2009


 IDM3LjYwOTU0NSwzOTIuMDYzOTEgQyAzNi4wOTA2NTcsMzc3LjMwMzYyIDI0LjI1
 NjQ4LDM2NS45NjIxMiA2Ljk0MDA4NDgsMzYyLjY3MTI3IEwgMC45OTM5ODQyLDM2
 MS41NDEyNiBMIDEuMjQ2OTkyMSwyMDAuMDI0ODMgTCAxLjUsMzguNTA4Mzk5IEwg
 Ny4yODQxMjQsMzcuNzg1ODk5IEMgMjQuMjM5MTU4LDM1LjY2ODAzMiAzNi4xODkx
 MTcsMjIuNjE5ODg1IDM4LjIyNjQ1Niw0IEwgMzguNSwxLjUgTCAyMDAuMjUsMS4y
 NDY5NzkyIEwgMzYyLDAuOTkzOTU4MzggTCAzNjIuMDEwODIsNC4yNDY5NzkyIEMg
 MzYyLjAyNDA3LDguMjI2NDQ5MiAzNjQuMTI4NzIsMTUuMzcxODMzIDM2Ni44NzA3
 OSwyMC43NDY3MjkgQyAzNzEuMTk3NjcsMjkuMjI4MTEyIDM4Mi4xNzE5NywzNi4w
 MzM4MjIgMzk0LjM0NjY5LDM3Ljc4NTg5OSBMIDM5OS41LDM4LjUyNzUxOCBMIDM5
 OS43NTMwMiwyMDAuMjYzNzYgTCA0MDAuMDA2MDQsMzYyIEwgMzk2Ljc1MzAyLDM2
 Mi4wMTE4NyBDIDM5Mi42MTkwMSwzNjIuMDI2OTUgMzg0LjQ3NDI4LDM2NC4xODQz
 OSAzODAuMTk2ODIsMzY2LjM5NzQxIEMgMzcxLjk0MDE0LDM3MC42NjkxNCAzNjQu
 NzA1MzIsMzgxLjg4OTIyIDM2Mi44MDI1MywzOTMuMzczMjMgTCAzNjEuNzg3Mzks
 Mzk5LjUgTCAyMDAuMjY2NTMsMzk5LjUgQyA5My40NDQ4NTgsMzk5LjUgMzguNjQ4
 MDA4LDM5OS4xNjEzNSAzOC40NTczLDM5OC41IHogTSAzNTQuOTMwNjEsMzgzLjk4
 ODgxIEMgMzU5LjQ2NTMsMzY5LjMzMjUyIDM3MC4xNTYxNCwzNTguNTUwNDIgMzg0
 LjEyNjYyLDM1NC41NDM1OCBMIDM4OS43NTMyNCwzNTIuOTI5ODIgTCAzODkuNjI2
 NjIsMjAwLjIyMjU4IEwgMzg5LjUsNDcuNTE1MzQ3IEwgMzgzLjMxMzQ5LDQ1LjMx
 MDI5NSBDIDM3Ni44NjI2OSw0My4wMTEwNDQgMzcwLjE5MTM0LDM5LjI1NjI1MSAz
 NjYuMTA3NjcsMzUuNjI2NDQ0IEMgMzYyLjIxODI1LDMyLjE2OTMxMyAzNTYuMDU0
 MTMsMjEuOTk0IDM1NC4zOTc5LDE2LjI5Njc4IEwgMzUyLjg1ODA4LDExIEwgMTk5
 Ljk1Njk4LDExIEwgNDcuMDU1ODcsMTEgTCA0NS40ODA4ODQsMTYuNDE3NzYgQyA0
 MS4zNTA0MiwzMC42MjYwNTcgMjcuNDIxOTY0LDQ0LjA4NzgxMyAxNC4yNSw0Ni42
 MDIxOTMgTCAxMSw0Ny4yMjI1ODIgTCAxMSwyMDAuMzczNzggTCAxMSwzNTMuNTI0
 OTggTCAxNy4yODE0NTYsMzU1LjMyMzkxIEMgMjkuNjMxMjA4LDM1OC44NjA3MiA0
 MS4zNDI5NDQsMzcwLjE3NDk2IDQ1LjQxMjI5NywzODIuNSBDIDQ2LjMyMDI2NCwz
 ODUuMjUgNDcuMjYwMzY3LDM4OC4wNjM5NCA0Ny41MDE0MTUsMzg4Ljc1MzIgQyA0
 Ny44NTA1NjYsMzg5Ljc1MTU3IDc4Ljk3ODIxNiwzODkuOTU0OTEgMjAwLjU4MjU2
 LDM4OS43NTMyIEwgMzUzLjIyNTQ0LDM4OS41IEwgMzU0LjkzMDYxLDM4My45ODg4
 MSB6Ig0KICAgICBpZD0icGF0aDM1NjMiIC8+DQo8L3N2Zz4NCg==


















 


Santesson et all.         Expires May 15, 2010                 [Page 12]

INTERNET DRAFT             Certificate Image           November 11, 2009


 The example above stores the following SVG image:


 <?xml version="1.0" encoding="UTF-8" standalone="no"?>
 <!-- Created with Inkscape (http://www.inkscape.org/) -->
 <svg
    xmlns:dc="http://purl.org/dc/elements/1.1/"
    xmlns:cc="http://creativecommons.org/ns#"
    xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
    xmlns:svg="http://www.w3.org/2000/svg"
    xmlns="http://www.w3.org/2000/svg"
    xmlns:xlink="http://www.w3.org/1999/xlink"
    xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
    xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
    id="svg3552"
    sodipodi:version="0.32"
    inkscape:version="0.46"
    width="401"
    height="401"
    version="1.0"
    sodipodi:docname="ticketframe.svg"
    inkscape:output_extension="org.inkscape.output.svg.inkscape">
   <metadata
      id="metadata3557">
     <rdf:RDF>
       <cc:Work
          rdf:about="">
         <dc:format>image/svg+xml</dc:format>
         <dc:type
            rdf:resource="http://purl.org/dc/dcmitype/StillImage" />
       </cc:Work>
     </rdf:RDF>
   </metadata>
   <defs
      id="defs3555">
     <inkscape:perspective
        sodipodi:type="inkscape:persp3d"
        inkscape:vp_x="0 : 526.18109 : 1"
        inkscape:vp_y="0 : 1000 : 0"
        inkscape:vp_z="744.09448 : 526.18109 : 1"
        inkscape:persp3d-origin="372.04724 : 350.78739 : 1"
        id="perspective3559" />
   </defs>
   <sodipodi:namedview
      inkscape:window-height="739"
      inkscape:window-width="1280"
      inkscape:pageshadow="2"
      inkscape:pageopacity="0.0"
 


Santesson et all.         Expires May 15, 2010                 [Page 13]

INTERNET DRAFT             Certificate Image           November 11, 2009


      guidetolerance="10.0"
      gridtolerance="10.0"
      objecttolerance="10.0"
      borderopacity="1.0"
      bordercolor="#666666"
      pagecolor="#ffffff"
      id="base"
      showgrid="false"
      inkscape:zoom="1.1521197"
      inkscape:cx="200.5"
      inkscape:cy="200.5"
      inkscape:window-x="-9"
      inkscape:window-y="-9"
      inkscape:current-layer="svg3552" />
   <path
      style="fill:#000000"
      d="M 38.4573,398.5 C 38.298701,397.95 37.917211,395.05376
 37.609545,392.06391 C 36.090657,377.30362 24.25648,365.96212
 6.9400848,362.67127 L 0.9939842,361.54126 L 1.2469921,200.02483 L
 1.5,38.508399 L 7.284124,37.785899 C 24.239158,35.668032
 36.189117,22.619885 38.226456,4 L 38.5,1.5 L 200.25,1.2469792 L
 362,0.99395838 L 362.01082,4.2469792 C 362.02407,8.2264492
 364.12872,15.371833 366.87079,20.746729 C 371.19767,29.228112
 382.17197,36.033822 394.34669,37.785899 L 399.5,38.527518 L
 399.75302,200.26376 L 400.00604,362 L 396.75302,362.01187 C
 392.61901,362.02695 384.47428,364.18439 380.19682,366.39741 C
 371.94014,370.66914 364.70532,381.88922 362.80253,393.37323 L
 361.78739,399.5 L 200.26653,399.5 C 93.444858,399.5 38.648008,399.16135
 38.4573,398.5 z M 354.93061,383.98881 C 359.4653,369.33252
 370.15614,358.55042 384.12662,354.54358 L 389.75324,352.92982 L
 389.62662,200.22258 L 389.5,47.515347 L 383.31349,45.310295 C
 376.86269,43.011044 370.19134,39.256251 366.10767,35.626444 C
 362.21825,32.169313 356.05413,21.994 354.3979,16.29678 L 352.85808,11 L
 199.95698,11 L 47.05587,11 L 45.480884,16.41776 C 41.35042,30.626057
 27.421964,44.087813 14.25,46.602193 L 11,47.222582 L 11,200.37378 L
 11,353.52498 L 17.281456,355.32391 C 29.631208,358.86072
 41.342944,370.17496 45.412297,382.5 C 46.320264,385.25
 47.260367,388.06394 47.501415,388.7532 C 47.850566,389.75157
 78.978216,389.95491 200.58256,389.7532 L 353.22544,389.5 L
 354.93061,383.98881 z"
      id="path3563" />
 </svg>






 


Santesson et all.         Expires May 15, 2010                 [Page 14]

INTERNET DRAFT             Certificate Image           November 11, 2009


Authors' Addresses


   Stefan Santesson
   3xA Security (AAA-sec.com)
   Bjornstorp 744
   247 98 Genarp
   Sweden
   EMail: sts@aaa-sec.com

   Russell Housley
   Vigil Security, LLC
   918 Spring Knoll Drive
   Herndon, VA 20170
   USA
   EMail: housley@vigilsec.com

   Siddharth Bajaj
   VeriSign
   685 East Middlefield rd
   Mountain view, CA 94043
   USA
   Email: sbajaj@verisign.com

   Leonard Rosenthol
   3533 Sunset Way
   Huntingdon Valley, PA 19006
   USA
   Email: leonardr@adobe.com






















Santesson et all.         Expires May 15, 2010                 [Page 15]