ISSUE-207

identity, not security

Add Section 9.3 - Certificates assure identity, not security

State:

CLOSED

Product:

wsc-xit

Raised by:

Johnathan Nightingale

Opened on:

2008-05-14

Description:

9.3 Certificates assure identity, not security

While TLS certificates of all types (i.e. self-signed, validated, or augmented assurance) provide the means for strong encryption of communications, they should not be understood to be, or treated as, blanket security assurances. In particular, validated and AA certificates make guarantees about some level of owner identity verification having been performed (see definitions) but they do not represent any guarantees that a site is operated in a safe manner, or is not otherwise subject to attack. Historically, issues of security and identity have been conflated by user agent interfaces which present SSL/TLS connections as "secure," but implementers of this specification are advised to be cautious and cognizant of this distinction.

Related Actions Items:

No related actions

Related emails:

1. Meeting record: 2008-05-14 (from tlr@w3.org on 2008-06-06)
2. Re: Agenda: WSC WG distributed meeting, Wednesday, 2008-05-28 (from ifette@google.com on 2008-05-27)
3. Re: Agenda: WSC WG distributed meeting, Wednesday, 2008-05-28 (from steele@adobe.com on 2008-05-27)
4. Agenda: WSC WG distributed meeting, Wednesday, 2008-05-28 (from Mary_Ellen_Zurko@notesdev.ibm.com on 2008-05-22)
5. ACTION-455 Resolution, I think (from johnath@mozilla.com on 2008-05-22)
6. WSC Open Action Items (from Mary_Ellen_Zurko@notesdev.ibm.com on 2008-05-16)
7. ISSUE-207 (identity, not security): Add Section 9.3 - Certificates assure identity, not security [wsc-xit] (from sysbot+tracker@w3.org on 2008-05-14)

Related notes:

Display change log