[cabfpub] LEI information in web certificates

Ryan Sleevi sleevi at google.com
Fri Jul 6 21:36:37 UTC 2018

On Fri, Jul 6, 2018 at 4:29 PM Tim Hollebeek via Public <public at cabforum.org>

> As many of you are aware, the GLEIF foundation recently invited CA/Browser
> Forum members to its identity management workshop.  Some people have
> contacted us about the possibility of putting LEI identifiers into web
> certificates.  This is in some ways similar to the recent proposal from
> ETSI to put additional identity information into certificates, though it
> has the advantage that we are free to determine ourselves how best to
> encode it.
> CAs are already allowed to include this information in certificates,
> assuming it has been appropriately validated.  There is a Global Legal
> Entity Identifier Index that is authoritative for LEIs.  However it would
> be valuable if there were a standardized CABF OID and extension so that
> every CA that chooses to include this information includes it in an
> interoperable way.  This also allocates the OID in a namespace we control,
> allowing us to state in the BRs the purpose and semantics of the extension,
> and require that it only be used for authentic and validated LEIs.
> It seems to me that it would be worthwhile to standardize this, instead of
> every CA coming up with their own way of doing it.  What do other people
> think?

Could you explain how this information would be used by Relying Parties?

The GLEIF model effectively relies on third-party RAs, with all of the
attendant issues, and without a clear framework for addressing many of the
issues that has been held in the CA ecosystem. I'm not sure the value
proposition here, or that the information is something RPs should
necessarily use. As to whether or not it's appropriate, I think that's
going to be very much contingent upon what the intended semantics being
introduced are - that is, what relationship, if any, is being expressed
between the LEI ID and the domain - and that opens a host of complexity
that could easily detract from the far more pressing and meaningful work on
improving the domain and information validation.

I'm not sure why a CABF OID would be more useful than a GLEIF OID (which
seems far more appropriate), and with a defined syntax relevant for GLEIF.
I can think of no good reason to use the CABF arc, so I'm hoping you could
explain more that thinking.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20180706/68c9c16b/attachment-0003.html>

More information about the Public mailing list