ISSUE-135 (SSC assertions): Not trusting any SSC assertion seems overbroad [wsc-xit] from Web Security Context Working Group Issue Tracker on 2007-12-14 (public-wsc-wg@w3.org from December 2007)

From: Web Security Context Working Group Issue Tracker <sysbot+tracker@w3.org>
Date: Fri, 14 Dec 2007 21:51:04 +0000 (GMT)
To: public-wsc-wg@w3.org
Message-Id: <20071214215104.79D7BC6DB0@barney.w3.org>

ISSUE-135 (SSC assertions): Not trusting any SSC assertion seems overbroad [wsc-xit]

http://www.w3.org/2006/WSC/track/issues/

Raised by: Mary Ellen Zurko
On product: wsc-xit

5.3.7

"However, Web user agents MUST NOT conclude that any assertions that may be included with the certificate are valid."

Why not, and how does that apply to usefully trusting self signed certs? I imagine there are some assertions that would be obviously a bad idea to trust in an self signed cert, but all assertions, past, present and future? How do we know that's a good idea?

Received on Friday, 14 December 2007 21:51:15 UTC