Behaviour of verifier when there are zero usage policy identifiers

ehn-dcc-development / eu-dcc-hcert-spec

Electronic Health Certificates Specification

363 stars 40 forks source link

Closed louridas closed 3 years ago

louridas commented 3 years ago

In A.4 of the spec it is stated that:

The SC may contain an extended key usage extension with zero or more key usage policy identifiers.

What should the verifier do when the extended key usage extension exists but contains zero key usage policy identifiers?

dirkx commented 3 years ago

The spec says this (next senstence):

"In absence of any key usage extension, this certificate can be used to validate any type of HCERT."

Or in other words - if absent it is trusted/used in all circumstancs. No limitations.

louridas commented 3 years ago

I am referring to the particular case where the key usage extension exists but it does not contain any identifier.

I understand that it will be treated as if it did not exist at all?

dirkx commented 3 years ago

Types constrain it. If there are zero - I'd say it is not contrained.

Do you want to propose some new wording for the next vesion ?

louridas commented 3 years ago

Perhaps:

If present the verifiers SHALL verify => If present with non zero key usage policy identifiers the verifiers SHALL verify