[Servercert-wg] Ballot SC17 version 7: Alternative registration numbers for EV certificates

Tim Hollebeek tim.hollebeek at digicert.com
Thu May 9 07:26:22 MST 2019

Yup, that’s a good summary of how we got here.


The only other thing that I’d add is that the ballot also gives CAs a reasonable amount of time to implement this new extension (it isn’t mandatory until next year).




From: Servercert-wg <servercert-wg-bounces at cabforum.org> On Behalf Of Ryan Sleevi via Servercert-wg
Sent: Thursday, May 9, 2019 10:19 AM
To: Adriano Santoni <adriano.santoni at staff.aruba.it>; CA/B Forum Server Certificate WG Public Discussion List <servercert-wg at cabforum.org>
Subject: Re: [Servercert-wg] Ballot SC17 version 7: Alternative registration numbers for EV certificates




On Thu, May 9, 2019 at 5:11 AM Adriano Santoni via Servercert-wg <servercert-wg at cabforum.org <mailto:servercert-wg at cabforum.org> > wrote:

Hello Tim, Dimistris,

I probably missed some posts to the list, as I just realized that this ballot (since version 4) mandates inclusion of the new extension CABFOrganizationIdentifier if the subject:organizationIdentifier field is present. Home comes that? I got lost in the discussions...

That seems exceedingly complex to me, especially as I cannot see its purpose, and implies development work on CA software for implementation of the new CABFOrganizationIdentifier extension.

Please bear with me and remind me the rationale leading to such a proposal....


Hi Adriano,


I'm not Tim or Dimitris, but I can hopefully shed some insight into this.


This was discussed somewhat during the CA/Browser Forum F2F in Cupertino. The reasoning is that the use of the subject:organizationIdentifier to convey structured information like this is problematic on a number of dimensions, as has previously been shared with our ETSI Liasons. Much like ITU-T and IETF collaborated in the definition of the Subject Alt Name extension, recognizing the inherent problems of the X.500 naming scheme of the Subject in the absence of a global X.500 hierarchy, the extension represents an attempt by the CA/Browser Forum to more collaboratively engage with ETSI on matters of technical expertise. By ensuring that the extension is present, this provides the opportunity for ETSI to, in a future update to its TS set of documents related to PSD2, seemlessly transition from the problematic form of the subject:organizationIdentifier and into the more structured form of the CABFOrganizationIdentifier, without disrupting sites or end users.


By ensuring both are present, we have a system that is compatible with the unfortunate legacy decisions found within the current PSD2 profile, while providing a seamless path forward, to a more compliant approach. The approach taken with respect to the CABFOrganizationIdentifier aligns with the approach ETSI has taken in other aspects of its qualifications - ensuring that information is reliably and unambiguously separated, for example - and thus avoids the significant security risks that the approach presently taken by ETSI presents.


Does that help? 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20190509/78a276bc/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4940 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20190509/78a276bc/attachment-0001.p7s>

More information about the Servercert-wg mailing list