It also looks like (unless I am missing something) 'liceneses' (signatures of authorised officials as far as I can tell) are checked for common name / organisational unit, but there is no check that the certificate trust chain is anchored on a trusted certificate.