ISSUE-135 (SSC assertions): Not trusting any SSC assertion seems overbroad [wsc-xit]

ISSUE-135 (SSC assertions): Not trusting any SSC assertion seems overbroad [wsc-xit]

Raised by: Mary Ellen Zurko
On product: wsc-xit


"However, Web user agents MUST NOT conclude that any assertions that may be included with the certificate are valid."

Why not, and how does that apply to usefully trusting self signed certs? I imagine there are some assertions that would be obviously a bad idea to trust in an self signed cert, but all assertions, past, present and future? How do we know that's a good idea?

Received on Friday, 14 December 2007 21:51:15 UTC