Self-signed certificates are incorrectly identified as trusted

c2pa-org / public-draft

Repository for the public drafts of the C2PA Specifications

Creative Commons Attribution 4.0 International

35 stars 1 forks source link

Self-signed certificates are incorrectly identified as trusted #16

Closed lrosenthol closed 3 years ago

lrosenthol commented 3 years ago

From JPEG Fake Media:

Section 13.2.1.1 permits self-signed certificates and says that "Self-signed certificates must be explicitly trusted by validators."

Yes, that sentence is wording confusingly. It should read, “For a self-signed certificate to be trusted, it must be known and trusted explicitly by the validator. Self-signed certificates should never appear on a trust list.”

lrosenthol commented 3 years ago

TWG Agrees to address for next public draft