Feature #106
closed
Check the requested and optional CHAT against the certificate from the eID server
Added by Dirk Petrautzki almost 12 years ago.
Updated over 11 years ago.
Description
Currently an eID server could send a requested and optional CHAT with data groups/special functions set, for which it's certificate doesn't have the appropriate rights.
A check should be implemented and a security error (requested) or a disabling of optional data group should be done.
- Priority changed from Low to High
I don't see any benefit of such a feature. If you consider the eID server to be untrustworthy a manipulated CHAT will be your least problem. If the CHAT really not fit to the terminal certificate the German identity card should denial any access.
Of course, you can verify that the optional CHAT is a subset of the required CHAT and that the CHAT matches the terminal certificate. To do that, to must verify the certificate chain and as you know not all of the eID servers sends the complete chain.
Finally the German identify card do that anyway for you.
- Status changed from New to Feedback
- Status changed from Feedback to In Progress
- Assignee set to Moritz Horsch
- Status changed from In Progress to Closed
Also available in: Atom
PDF