There are two checks MAG does/ can do:
- by default it will check if the certificate has been created by MAG. This will fail if not. It will also fail if the device has been de-registered
- optionally MAG will check if the certificate has been signed by MAG
Customers could modify the default implementation. That's why we support multiple ways of verifications.