Feature #106
closedCheck the requested and optional CHAT against the certificate from the eID server
0%
Description
Currently an eID server could send a requested and optional CHAT with data groups/special functions set, for which it's certificate doesn't have the appropriate rights.
A check should be implemented and a security error (requested) or a disabling of optional data group should be done.
Updated by Moritz Horsch over 12 years ago
I don't see any benefit of such a feature. If you consider the eID server to be untrustworthy a manipulated CHAT will be your least problem. If the CHAT really not fit to the terminal certificate the German identity card should denial any access.
Of course, you can verify that the optional CHAT is a subset of the required CHAT and that the CHAT matches the terminal certificate. To do that, to must verify the certificate chain and as you know not all of the eID servers sends the complete chain.
Finally the German identify card do that anyway for you.
Updated by Moritz Horsch over 12 years ago
- Status changed from Feedback to In Progress
- Assignee set to Moritz Horsch
Updated by Moritz Horsch over 12 years ago
- Status changed from In Progress to Closed