26 lines
1.4 KiB
Markdown
26 lines
1.4 KiB
Markdown
# Review Synthesis
|
|
|
|
## Blocking findings
|
|
|
|
- Add an explicit conformance rule that portable trust assertions require authenticated origin and integrity protection; unauthenticated portable assertions must not be treated as conformant input.
|
|
- Tighten stale-data handling so clearly expired assertions are rejected rather than merely "downgraded" at implementer discretion.
|
|
- Define a firmer minimum portable data shape for trust assertions, including explicit model identification.
|
|
|
|
## Major findings
|
|
|
|
- Clarify whether trust-event interoperability is core to the document or whether trust events are primarily feeder objects for portable assertions.
|
|
- Strengthen the handling of negative assertions by requiring either evidence reference or explanation code when such assertions are exchanged portably.
|
|
- Clarify revocation versus supersession.
|
|
- Add one compact example of conflicting assertions from different issuers to make receiver processing easier to implement.
|
|
|
|
## Minor findings
|
|
|
|
- Tighten abstract wording around scoped issuer opinion.
|
|
- Make a few terminology definitions more RFC-like.
|
|
- Reduce provisional tone in IANA and dependency text.
|
|
|
|
## Conflicts resolved
|
|
|
|
- No major reviewer conflict exists. All reviewers support the narrow scope.
|
|
- The only tension is between remaining model-agnostic and becoming implementable. Resolution: keep algorithm choice open, but define a stronger minimum portable assertion envelope and clearer stale-data behavior.
|