We have to keep in the certificate all the variable data that are part of the proof public inputs (including endCumScTxCommTree) because otherwise we will not be able to distinguish between a "honest" cert proof not verifying (eg. a valid proof generated for a mainchain fork) and a malicious one (eg. a wrong proof obliging the node to verify it against the current epoch data). To penalize such a behavior, we should add the endCumScTxCommTreeRoot to the certificate data (verify if also mandatory to be part of the message to sign). In such a way, when a node receives a cert with a endCumScTxCommTreeRoot not on the current active chain, it will reject it without verifying the proof and it will not assign any penalty to the sender. On the contrary, if the endCumScTxCommTreeRoot is on the current active chain but the proof does not verify we can ban the sender.
The same approach should be adopted with MCBTRs for activeCertDataHash.
We have to keep in the certificate all the variable data that are part of the proof public inputs (including endCumScTxCommTree) because otherwise we will not be able to distinguish between a "honest" cert proof not verifying (eg. a valid proof generated for a mainchain fork) and a malicious one (eg. a wrong proof obliging the node to verify it against the current epoch data). To penalize such a behavior, we should add the endCumScTxCommTreeRoot to the certificate data (verify if also mandatory to be part of the message to sign). In such a way, when a node receives a cert with a endCumScTxCommTreeRoot not on the current active chain, it will reject it without verifying the proof and it will not assign any penalty to the sender. On the contrary, if the endCumScTxCommTreeRoot is on the current active chain but the proof does not verify we can ban the sender. The same approach should be adopted with MCBTRs for activeCertDataHash.