search

nuts-foundation / nuts-specification

Contains the source of the Nuts specification RFCs.
https://nuts-foundation.gitbook.io
2 stars 0 forks source link

RFC008: required pkiO certificates #271

Closed gerardsn closed 4 months ago

gerardsn commented 4 months ago

https://nuts-foundation.gitbook.io/drafts/rfc/rfc008-certificate-structure#id-3.1-certificate-authority-trust-chain

contains the following

A node will need to configure the correct CA-tree so other nodes can connect. The certificate to configure are:
- Staat der Nederlanden Private Root CA G1 (root certificate)
    - Staat der Nederlanden Private Services CA – G1
      - KPN PKIoverheid Private Services CA - G1
      - QuoVadis PKIoverheid Private Services CA - G1
      - UZI-register Private Server CA G1
Do not include other PKIoverheid CA certificates.

The problem with this is that this list changes over time. Without inclusion criteria for the certificates (besides domain private services), the last line in the quote is causing issues for implementers.

Perhaps we should just include all certificates in the domain private services chain?

woutslakhorst commented 4 months ago

so either

gerardsn commented 4 months ago

option 1 is fine for now. Option 2 would be a good long term solution, but also requires us to monitor changes to the list of issuers. Before we move in that direction, I'd like to know how relevant this list is going to be (from nuts perspective, not use case perspective) after switching to openid4vc flows.

woutslakhorst commented 4 months ago

option 1 is fine for now. Option 2 would be a good long term solution, but also requires us to monitor changes to the list of issuers. Before we move in that direction, I'd like to know how relevant this list is going to be (from nuts perspective, not use case perspective) after switching to openid4vc flows.

if the auth flow removes mTLS requirements, not much