Additional Security Context Information: "why trusted?"

The same set of ominous notes reminds me that there should be more
information about the source of trust as part of the additional
security context information.  I've elaborated a bit on the "The
reason why the identity information is trusted" bullet, though I'm
not 100% sure that's the right hook for this.  Improvement proposals
(including on the list) welcome.

Current text:

	The information sources MUST make the following security
	context information available:
	
	...

	The reason why the identity information is trusted (or not).
	This includes whether or not a certificate was accepted
	interactively, whether a self-signed certificate was used,
	and whether the self-signed certificate was pinned to the
	site that the user interacts with, and whether trust
	relevant settings of the user agent were otherwise
	overridden through user action.

	http://www.w3.org/2006/WSC/Drafts/rec/rewrite.html#asc-must
	
Web Security Context: Experience, Indicators, and Trust
Editor's Draft 19 March 2008
$Revision: 1.205 $ $Date: 2008/03/19 21:56:05 $

Regards,
-- 
Thomas Roessler, W3C  <tlr@w3.org>

Received on Wednesday, 19 March 2008 21:58:20 UTC