ISSUE-207
identity, not security
Add Section 9.3 - Certificates assure identity, not security
- State:
- CLOSED
- Product:
- wsc-xit
- Raised by:
- Johnathan Nightingale
- Opened on:
- 2008-05-14
- Description:
- 9.3 Certificates assure identity, not security
While TLS certificates of all types (i.e. self-signed, validated, or augmented assurance) provide the means for strong encryption of communications, they should not be understood to be, or treated as, blanket security assurances. In particular, validated and AA certificates make guarantees about some level of owner identity verification having been performed (see definitions) but they do not represent any guarantees that a site is operated in a safe manner, or is not otherwise subject to attack. Historically, issues of security and identity have been conflated by user agent interfaces which present SSL/TLS connections as "secure," but implementers of this specification are advised to be cautious and cognizant of this distinction. - Related Actions Items:
- No related actions
- Related emails:
- Meeting record: 2008-05-14 (from tlr@w3.org on 2008-06-06)
- Re: Agenda: WSC WG distributed meeting, Wednesday, 2008-05-28 (from ifette@google.com on 2008-05-27)
- Re: Agenda: WSC WG distributed meeting, Wednesday, 2008-05-28 (from steele@adobe.com on 2008-05-27)
- Agenda: WSC WG distributed meeting, Wednesday, 2008-05-28 (from Mary_Ellen_Zurko@notesdev.ibm.com on 2008-05-22)
- ACTION-455 Resolution, I think (from johnath@mozilla.com on 2008-05-22)
- WSC Open Action Items (from Mary_Ellen_Zurko@notesdev.ibm.com on 2008-05-16)
- ISSUE-207 (identity, not security): Add Section 9.3 - Certificates assure identity, not security [wsc-xit] (from sysbot+tracker@w3.org on 2008-05-14)
Related notes:
ACTION-459 completed
Anil Saldhana, 16 May 2008, 18:22:53Display change log