Archived 2023.09.25. Content moved to CDS guide, Certificates and cipher suites
As a Data Holder (DH) we seek to clarify a requirement that is noted under CDS Certificate Management, Issued by the Register CA for Data Recipients. This note is applicable to revocation endpoint, CDR arrangement management endpoint and JWKS endpoint. It says “ADRs may choose to secure their endpoints with a certificate issued by Register CA or a certificate issued by a public CA”. Where an ADR chooses to do the latter:
- Is there a list of ‘public CAs’ that DSBrecommends? Is DSB expecting DHs to accept all public CA certificates, or is this up to the discretion of the DHs (in line with the DH’s security policy)?
- Does the DSB intend to mandate Extended Validation (EV) SSL Certificate?
An SSL certificate must be TLS version 1.2 and above. EV Certificates are not explicitly required. The expectation is that the DH uses a reputable public CA that is in wide usage. An example is a CA from the list used by the widely used browsers.
A DH that maintains an unreasonably restrictive CA list, and consequently fails to make a revocation call to an ADR, would not be compliant with the Consumer Data Standards.
Please sign in to leave a comment.