Re: Nomenclature fixes around self-signed certificates

In the context of the rewrite, I've got problems with this:
A certificate that is [Definition: pinned] to a destination will be 
treated similar (but not identical) to a validated certificate in 
interactions defined elsewhere in this specification.

Since it seems to contradict the spirit of the differentiation, and I just 
find it confusing, vague, and uninformative. There are two fixes I can 
think of.
1) If the spec is clear on the similarities and differences throughout, 
just remove the line.
2) if it's not, replace or augment the line with what they are. 




From:
Thomas Roessler <tlr@w3.org>
To:
WSC WG <public-wsc-wg@w3.org>
Date:
03/07/2008 08:54 AM
Subject:
Nomenclature fixes around self-signed certificates



>From a discussion with Mez on IRC, I've made some changes to the
nomenclature in wsc-xit, around wsc-xit.

- self-signed and validated certificates are now mutually exclusive;
"pinning" a self-signed certificate to a destination does not
cause it to be considered a validated certificate.  While I was on
it, I've reinstated the "don't conclude anything from assertions
that come with a self-signed cert" clause that we seemed to have
lost when merging Stephen's edit.

- Where (like in the definition of strong and weak TLS) validated
certificates were assumed to include self-signed certificates,
that's now explicitly called out.

It seems like this doesn't directly affect 6.1 (in fact, I suspect
that the old state of the language had some unintended consequences
there).  It almost certainly affects the error handling section,
which comes with a "big fat warning" note in the editor's draft, as
it needs a more thorough rewrite.

http://www.w3.org/2006/WSC/drafts/rec/
Web Security Context: Experience, Indicators, and Trust
Editor's Draft 7 March 2008
$Revision: 1.184 $ $Date: 2008/03/07 13:55:37 $

Regards,
--
Thomas Roessler, W3C  <tlr@w3.org>