ISSUE-207 (identity, not security): Add Section 9.3 - Certificates assure identity, not security [wsc-xit]

ISSUE-207 (identity, not security): Add Section 9.3 - Certificates assure identity, not security [wsc-xit]

http://www.w3.org/2006/WSC/track/issues/

Raised by: Johnathan Nightingale
On product: wsc-xit

9.3 Certificates assure identity, not security

While TLS certificates of all types (i.e. self-signed, validated, or augmented assurance) provide the means for strong encryption of communications, they should not be understood to be, or treated as, blanket security assurances.  In particular, validated and AA certificates make guarantees about some level of owner identity verification having been performed (see definitions) but they do not represent any guarantees that a site is operated in a safe manner, or is not otherwise subject to attack.  Historically, issues of security and identity have been conflated by user agent interfaces which present SSL/TLS connections as "secure," but implementers of this specification are advised to be cautious and cognizant of this distinction.

Received on Wednesday, 14 May 2008 11:17:36 UTC