The section for "Trusted List Format" should be removed and handled in a separate document in all aspects that deals with international exchange of certificates and the format of the certificate data.
The major reason is that it would
1) hold up this specification in an unnecessary way as this is still a matter of discussion related to the DGC gateway
2) Verifiers dealing with this specification will probably not deal with certificates from the DGC gateway directly, but they will probably be served with a map of certs indexed under its kid from a national infrastructure service. So from the verifiers perspective, this is out of scope.
What the verifier needs is simply a short list of certificate content requirements.
I propose to change the current certificate requirements in the following way:
Remove key identifier requirements and replace it with:
DSC certificates MUST contain an Authority Key Identifier matching the signer Subject Key Identifier if the DSC certificate is not self signed.
Remove private key usage period requirements
Add: MAY include extended key usage extension which MAY serve to limit the scope of the DSC key holder. Other specificatoins MAY define extended key usage identifiers relevant for use with DSC certificates. In the absence of an extended key usage extension, the key is unconstrained and MAY be used to sign all relevant hcert documents.
The section for "Trusted List Format" should be removed and handled in a separate document in all aspects that deals with international exchange of certificates and the format of the certificate data.
The major reason is that it would 1) hold up this specification in an unnecessary way as this is still a matter of discussion related to the DGC gateway 2) Verifiers dealing with this specification will probably not deal with certificates from the DGC gateway directly, but they will probably be served with a map of certs indexed under its kid from a national infrastructure service. So from the verifiers perspective, this is out of scope.
What the verifier needs is simply a short list of certificate content requirements. I propose to change the current certificate requirements in the following way: