For a mobile application I would like to be so compliant as possible with the AdES standard.
The mobile application will perform operations on behalf of the user, signing them first. A backend service will verify the signature and proceed with the operations.
The main question is about the restrictions regarding who the CA should be.
Can a mobile device be its own CA authority or is it mandatory that another entity issues the certificate?
For the first case, the mobile application would generate both certificates(CA and signing cert) during user's onboarding. Both certificates would be sent to the backend for later signature verification.
For the second case, the mobile application would generate a CSR and the backend would generate the signing cert.
Are there any restrictions about how this process is allowed to work?
