On Tuesday, June 11, 2019 at 2:49:31 PM UTC+3, Jeremy Rowley wrote: > We wanted to experiment a bit with logotype extensions and trademarks, but > we heard from the CAB Forum that whether inclusion is allowed is subject a > bit to interpretation by the browsers. > > > > >From the BRs section 7.1.2.4 > > "All other fields and extensions MUST be set in accordance with RFC 5280. > The CA SHALL NOT issue a Certificate that contains a keyUsage flag, > extendedKeyUsage value, Certificate extension, or other data not specified > in section 7.1.2.1, 7.1.2.2, or 7.1.2.3 unless the CA is aware of a reason > for including the data in the Certificate. CAs SHALL NOT issue a Certificate > with: a. Extensions that do not apply in the context of the public Internet > (such as an extendedKeyUsage value for a service that is only valid in the > context of a privately managed network), unless: i. such value falls within > an OID arc for which the Applicant demonstrates ownership, or ii. the > Applicant can otherwise demonstrate the right to assert the data in a public > context; or b. semantics that, if included, will mislead a Relying Party > about the certificate information verified by the CA (such as including > extendedKeyUsage value for a smart card, where the CA is not able to verify > that the corresponding Private Key is confined to such hardware due to > remote issuance)." > > > > In this case, the logotype extension would have a trademark included (or > link to a trademark). I think this allowed as: > > 1. There is a reason for including the data in the Certificate (to > identify a verified trademark). Although you may disagree about the reason > for needing this information, there is a not small number of people > interested in figuring out how to better use identification information. No > browser would be required to use the information (of course), but it would > give organizations another way to manage certificates and identity > information - one that is better (imo) than org information. > 2. The cert applies in the context of the public Internet. > Trademarks/identity information is already included in the BRs. > 3. The trademark does not falls within an OID arc for which the > Applicant demonstrates ownership (no OID included). > 4. The Applicant can otherwise demonstrate the right to assert the data > in a public context. If we vet ownership of the trademark with the > appropriate office, there's no conflict there. > 5. Semantics that, if included, will not mislead a Relying Party about > the certificate information verified by the CA (such as including > extendedKeyUsage value for a smart card, where the CA is not able to verify > that the corresponding Private Key is confined to such hardware due to > remote issuance). None of these examples are very close to the proposal. > > > > What I'm looking for is not a discussion on whether this is a good idea, but > rather is it currently permitted under the BRs per Mozilla's > interpretation. I'd like to have the "is this a good idea" discussion, but > in a separate thread to avoid conflating permitted action compared to ideal > action. > > > > Jeremy
Sorry – the USPTO links for the Subway registered trademarks in my last message expired. Go to this search page http://tmsearch.uspto.gov/bin/gate.exe?f=searchss&state=4808:d53jqt.1.1 And search on these two Serial or Registration Numbers to see the Subway logo and word mark: 5373029 5601308 _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
