To configure DGCG (Digital Green Certificate Gateway) in Digital COVID Certificate project, participating countries provide information regarding Public Key of the certificate of CSCA (Certificate Signing Certificate Authority). Spain uses a ECC #eIDAS Sub-CA as CSCA.
CSCA, as defined in the DGC project, requires the CSCA cert to include the country field for which the CSCA is valid. However, #EIDAS certificates are intended for cross-border interoperability, so the country field in the CA cert is irrelevant to countries in which it is valid.
DGC technical documents should be changed so CSCA of one country could be serviced from a CA in other country. So #EIDAS certification authorities could provide DSC certificates to health bodies in any country. The same principle should be extended to WHO technical documents.
Extended key Usage Identifiers could be present with some information in #EIDAS certificates, so the explanation that the DSC may contain an extended key usage extension with zero or more key usage policy identifiers that constrain the types of HCERTs such DSC certificate may sign, should consider other OIDs as «not present» if the eHealth application doesn´t understand them.
If one or more of the special DGC OIDs are present, the verifiers SHALL verify the extended key usage against the stored HCERT.
In absence of any key usage extension of the special DGC OIDs (i.e. no such special DGC OIDs extensions), the related DSC certificate can be used to sign any type of HCERT.
So, in #EIDAS DSC certificates to be used to electronically sign HCERT, the following OIDs can be used in Extended Key Usage extension fields:
- OID 220.127.116.11.4.1.1847.2021.1.1 — valid for test
- OID 18.104.22.168.4.1.1847.2021.1.2 — valid for vaccinations
- OID 22.214.171.124.4.1.1847.2021.1.3 — valid for recovery
This OIDs can be present if the related EU Digital COVID Certificate is restricted to one of two kind of certificates. If all 3 are included (or none of them) the related EU Digital COVID Certificate is NOT restricted and can reflect any of the three options.