Check the requested and optional CHAT against the certificate from the eID server
Currently an eID server could send a requested and optional CHAT with data groups/special functions set, for which it's certificate doesn't have the appropriate rights.
A check should be implemented and a security error (requested) or a disabling of optional data group should be done.
Updated by Moritz Horsch over 8 years ago
I don't see any benefit of such a feature. If you consider the eID server to be untrustworthy a manipulated CHAT will be your least problem. If the CHAT really not fit to the terminal certificate the German identity card should denial any access.
Of course, you can verify that the optional CHAT is a subset of the required CHAT and that the CHAT matches the terminal certificate. To do that, to must verify the certificate chain and as you know not all of the eID servers sends the complete chain.
Finally the German identify card do that anyway for you.