ACTION-306: Trust anchors

I propose that we add te following text in the beginning of 6.2:

> The validation procedure given in this section describes extensions  
> to XML Signature Core Validation.  In addition to the steps defined  
> in these two specifications, user agents MUST perform Basic Path  
> Validation [RFC 5280] on the signing key.  The set of acceptable  
> trust anchors, and policy decisions based on the signer's identity  
> are established through a security-cirtical out-of-band mechanism.

(If somebody can think of something nicer to say, that's fine as  
well.  Note that the Basic Path Validation requirement isn't really  
new -- it's implicit to our use of X.509, if done properly.   
Nevertheless, worth calling out properly.)

Thomas Roessler, W3C  <>

Received on Wednesday, 25 February 2009 14:23:49 UTC