Closed jhswedeveloper closed 4 years ago
liamdennehy
commented
4 years ago The root of trust is the LOTL, so the issuer is irrelevant. If you want to trust the certificate outside eIDAS, then yes you might want to trust the issuer first, but if the list says that a particular certificate is trusted, then the issuer doesn't matter.
jhswedeveloper
commented
4 years ago I see so in the context of if "I want to validate a TPP to see that he has a valid PSD2 certificate" it should be enough to only trust LOTL?
Thanks for the quick reply, I've been having a hard time wrapping my head around it.
liamdennehy
commented
4 years ago From the eIDAS perspective, it doesn't matter if the trusted service is self-issued, or issued by another CA certificate. This lets eIDAS explicitly trust one service (e.g. personal certificate issuing CA) from a company instead of the root - which means you have to trust everything that company's root CA does.
Be careful that trusting a PSD2 provider's certificate only tells you about the license status at the time the certificate was issued. Not all member states are using certificate revocation to show that a license is withdrawn or lapsed, so you should use another means to determine that if you need a real-time check.
I noticed some QTSP issue certificates where the root of that certificate is missing and found for example in microsoft root store.
This multicert is an example https://webgate.ec.europa.eu/tl-browser/#/tl/PT/4/7
My question is, do we need to import the microsoft root store program separately and include it in our truststore?