Project

General

Profile

Actions

Feature #106

closed

Check the requested and optional CHAT against the certificate from the eID server

Added by Dirk Petrautzki over 12 years ago. Updated over 12 years ago.

Status:
Closed
Priority:
High
Assignee:
Target version:
-
Start date:
07/05/2012
Due date:
% Done:

0%

Estimated time:
Reviewer:
Build Version:

Description

Currently an eID server could send a requested and optional CHAT with data groups/special functions set, for which it's certificate doesn't have the appropriate rights.
A check should be implemented and a security error (requested) or a disabling of optional data group should be done.

Actions #1

Updated by Detlef Hühnlein over 12 years ago

  • Priority changed from Low to High
Actions #2

Updated by Moritz Horsch over 12 years ago

I don't see any benefit of such a feature. If you consider the eID server to be untrustworthy a manipulated CHAT will be your least problem. If the CHAT really not fit to the terminal certificate the German identity card should denial any access.

Of course, you can verify that the optional CHAT is a subset of the required CHAT and that the CHAT matches the terminal certificate. To do that, to must verify the certificate chain and as you know not all of the eID servers sends the complete chain.

Finally the German identify card do that anyway for you.

Actions #3

Updated by Moritz Horsch over 12 years ago

  • Status changed from New to Feedback
Actions #4

Updated by Moritz Horsch over 12 years ago

  • Status changed from Feedback to In Progress
  • Assignee set to Moritz Horsch
Actions #5

Updated by Moritz Horsch over 12 years ago

  • Status changed from In Progress to Closed
Actions

Also available in: Atom PDF