Comment 2 for bug 1872755

I have verified that this is true, a credential created using a trust scope has the trust_id attribute in the blob and this can be PATCHed to set trust_id to null. However, I'm unclear on the consequences of this. No matter the content of the trust_id value of the blob, a token request using the EC2 credential does not have trust information in it, see attached example. Only the admin or owner can modify the credential. Can you explain with examples how this could be exploited?