By implication, TLS supports a trust model required to establish trusted TLS server identities that is consistent with the PKI X.509 standard, and it advises due caution in the choice of root CAs for this purpose. In particular, TLS relies on the X.509 public-key certificates as authorized by root CAs and relies on the Digital Signature Standard (DSS) to assure TLS client and server authentication.

TLS also strongly suggests that any TLS implementation support certificate revocation messages and means for choosing a trusted root CA to authorize digital certificates, but does not directly specify how to do so. It also suggests that means be provided to view information about digital certificates and root CAs.

Note: OpenEdge does provide key and certificate management tools. For more information, see the sections on managing OpenEdge key and certificate stores in Manage OpenEdge Keys and Certificates.

As stated in The TLS Protocol Version 1.0 specification (see TLS standards support in OpenEdge), the "F.3 Final notes" section: "The system is only as strong as the weakest key exchange and authentication algorithm supported, and only trustworthy cryptographic functions should be used. Short public keys, 40-bit bulk encryption keys, and anonymous servers should be used with great caution. Implementations and users must be careful when deciding which certificates and certificate authorities are acceptable; a dishonest certificate authority can do tremendous damage."