During our implementations several issues came up, that we think still need to be defined. I am starting a brainstorming list here, this is not a full list of course:
Error codes and especially, legally/org. definition what the validator needs to see: We think yes/no will not be enough, since in the minimum sense NO could also mean that the validator has a problem (too long offline e.g.), so there is a technical perspective and of course org/legal (discussion started here: )
Clarifications on e.g. validating OIDs in X509 certificates
Offline definitions for validation apps
security/privacy: clear awareness for member states and private sector use cases (GDPR, health related data). worry: everyone can read the code, steal it, misuse it for other use cases (privacy, fake usage when no ID card is required)
Doable max size of QR-Code: current statement, 1400 bytes
Validity of DGCs and X509 certificates and clear definitions for the gateway
Revocation of the signed certificate: Revocation is currently: remove it from the trust list. This is fine, however comes with one major problem: revoking a signing certificate typically just invalidates the signed documents that were issued after the revocation data. if we remove the certificate from the trust list however, all previous documents will be invalidated (re-issuing all of them would be problematic). Discussion on that needed (many approaches, but we would need to see a direction)
During our implementations several issues came up, that we think still need to be defined. I am starting a brainstorming list here, this is not a full list of course: