Project

General

Profile

Feature #106

Check the requested and optional CHAT against the certificate from the eID server

Added by Dirk Petrautzki over 8 years ago. Updated over 8 years ago.

Status:
Closed
Priority:
High
Assignee:
Target version:
-
Start date:
07/05/2012
Due date:
% Done:

0%

Estimated time:
Reviewer:
Build Version:

Description

Currently an eID server could send a requested and optional CHAT with data groups/special functions set, for which it's certificate doesn't have the appropriate rights.
A check should be implemented and a security error (requested) or a disabling of optional data group should be done.

History

#1

Updated by Detlef H├╝hnlein over 8 years ago

  • Priority changed from Low to High
#2

Updated by Moritz Horsch over 8 years ago

I don't see any benefit of such a feature. If you consider the eID server to be untrustworthy a manipulated CHAT will be your least problem. If the CHAT really not fit to the terminal certificate the German identity card should denial any access.

Of course, you can verify that the optional CHAT is a subset of the required CHAT and that the CHAT matches the terminal certificate. To do that, to must verify the certificate chain and as you know not all of the eID servers sends the complete chain.

Finally the German identify card do that anyway for you.

#3

Updated by Moritz Horsch over 8 years ago

  • Status changed from New to Feedback
#4

Updated by Moritz Horsch over 8 years ago

  • Status changed from Feedback to In Progress
  • Assignee set to Moritz Horsch
#5

Updated by Moritz Horsch over 8 years ago

  • Status changed from In Progress to Closed

Also available in: Atom PDF