fredriklj
commented
3 years ago I agree. Will you incorporate that change?
Closed dirkx closed 3 years ago
fredriklj
commented
3 years ago I agree. Will you incorporate that change?
jschlyter
commented
3 years ago Agree.
We currently allow for self signed DSCs by stating that
Allowing effectively signatures from private keys in X.509 certs (that we do not use in the trust list at all) that has CA:TRUE.
This is a compromise that makes the barrier to entry really low - while still keeping the ICAO concept alive.
We currently say in README.md:
If CSCAs public keys appear in the list - they are _only_ there to facilitate the creation of the trusted list of public keys itself. They are not used during verification of a HCERT (as this is generally offline -- and purely based on the trusted list of that day).I think that should be:
A CSCAs public keys can only appear on the list if it is _also_ submitted as a DSC key. Otherwise the CSCA are _only_ used to facilitate the creation of the trusted list of public keys itself. And not included on that list. They are not used during verification of a HCERT (as this is generally offline -- and purely based on the trusted list of that day).