I propose that we add te following text in the beginning of 6.2:
The validation procedure given in this section describes extensions to XML Signature Core Validation. In addition to the steps defined in these two specifications, user agents MUST perform Basic Path Validation [RFC 5280] on the signing key. The set of acceptable trust anchors, and policy decisions based on the signer's identity are established through a security-cirtical out-of-band mechanism.
(If somebody can think of something nicer to say, that's fine as well. Note that the Basic Path Validation requirement isn't really new -- it's implicit to our use of X.509, if done properly. Nevertheless, worth calling out properly.)
-- Thomas Roessler, W3C <[email protected]>
