Comment 5 for bug 1421825

I don't know why users aren't allowed to validate or revoke his own token. I am guessing it was done for security purposes? Since UUID tokens are just opaque strings, whoever steals your token shouldn't be able to find out what the token can do by performing token validation. That at least prevents information disclosure.

However, the introduction of PKI tokens changed that line of thinking, whether that was intentional or not. Anyone who have access to the simple cert endpoints can retrieve the signing cert to validate the tokens.

I guess what I am trying to say is that we need to figure out a way to have the policies consistently applied, regardless of token provider.