The part 2 §7.3.4 v1.04 states that the GDS establishes a secure channel using the highest security level available in the target Server. It does not provide updated CRLs, Certificates or TrustLists via an endpoint that has a lower security level than the security level of the updates.

To carry out this it would be necessary to have a clear definition on how 'higher security level" for CRLs, certificates or TrustLists shall be evaluated.

We read into this requirement that we should use the security policy of the secure channel since it seems a convenient way to manage it. If we understood this correctly, it seems that the relative weight of security level between security policies would be necessary to evaluate the requirement. Once this data is available we should be able to determine if the provided certificates are compliant for the secure channel security policy or a lower secure policy level.

Another interpretation might be to take as reference, one of the certificates used to establish the secure channel. In this case it will be necessary to precise which certificate to choose between client and server certificate as reference for the security level depending on concrete criteria. Moreover it should be precised which certificate properties to take into account and the hierarchy/weight between them. As example, how to estimate the security level between an RSA key of 2048 bits length with SHA512 for signature and an RSA key of 4096 bits length with SHA256 for signature ? As an other example, how to compare RSA and ECC public keys?