[cabf_validation] Support for registered organisation identifier of EU payment service providers

Ryan Sleevi sleevi at google.com
Tue Dec 4 09:45:52 MST 2018 

On Tue, Dec 4, 2018 at 7:55 AM nhpe89--- via Validation <
validation at cabforum.org> wrote:

> All,
>
>
>
> Tim has kindly offered to discuss the EU requirements for identification
> of organisations providing payment services in the EU in the next call of
> the validation group.
>
>
>
> As a starting point may I make the following points (as a personal
> contribution to discussions).:
>
> 1)          There is a need in the EU in support of Open Banking to
> include within a Website certificate a registered identifier for a payment
> service provider which is used to reference authorisation information in EU
> national registers for payment services under the 2nd EU Payment Service
> Directive (PSD2).  It is required under PSD2 that this registered
> identifier is authenticated by the Website certificate.  Some
> interpretations of the EU requirements consider that this website
> certificate must be  a Publicly Trusted Certificate.
>

I think supporting documentation to this claim would be useful.

First, the discussion of why it needs to be the website certificate in TLS
is useful. Whether this is browser-specific or browser-agnostic, discussing
the technical requirements and/or providing documentation to that effect
will help determine more about the solution space constraints and how the
CA/Browser Forum, and more generally, the industry, can better help these
solutions.


> 2)          ETSI have published a standard for EU payment services (TS 119
> 495) which includes a web site certificate profile including the placement
> of the payment service provider registered identifier in the X.520
> organizationIdentifier in the Subject Distinguished Name.
>

Similarly, a discussion point to consider is what extent ETSI liasons to
the CA/B Forum discussed these changes, and their implications, with the
CA/Browser Forum. One can imagine that a lack of discussion of substantive
changes to ETSI documents has, in turn, created the situation we see, and
one area of consideration is how ETSI can be a more engaged and
representative participant in the CA/Browser Forum.


> 3)          The EV Guidelines requirement on EV Certificate Subject
> Information  9.2 includes a sub-section 9.2.8 on “other Subject Attributes”
> which is assumed to allow the inclusion of X.520 organizationIdentifier to
> carry the payment service provider registered identifier as specified in
> ETSI TS 119 495.  As yet no one has clearly demonstrated this assumption is
> incorrect.
>

I think it's useful to keep this latter editorializing separate from the
facts of the discussion. I think a number of people have demonstrated this
assumption is incorrect, and our discussion is how best to move forward.


> 4)          The CAB Forum validation group have indicated a desire to
> update the EV guidelines to update the 9.2 requirements to be more explicit
> on the requirements of “Other Subject  Attributes”.
>
> 5)          The CAB Forum meeting in June requested the CABF validation
> Group to work with ETSI to see if it can identify a solution to ensure any
> update to EV 9.2 which still enables ETSI to meet the requirements of PSD2
> as applied to PTC.
>

I think that's misstating the work mode of the CA/Browser Forum. That is,
you assign a logical entity, as if the CA/Browser Forum as a whole
requested the Validation WG to address this. That's not a correct thinking
about how the Forum works. It certainly was suggested as such, but the
CA/Browser Forum nor the Chair does not direct activities in the way this
language implies.


>
>
> Starting point for choices:
>
>
>
> a)          Recognise the current approach using X.520
> organizationIdentifier in the Subject Distinguished Name
>
> -            From ETSI viewpoint this is the preferred approach
>
>
>
> b)          Carry the PSD2 payment service provider registered identifier
> as an Registered Identifier
>
> -            This may not be considered the intent of equivalence to
> Incorporation
>

I have yet to see this discussion proposed. Could you clarify if you're
thinking about an existing proposal, or are you introducing a new proposal
that has not yet been discussed? Could you clarify how that is distinct
from c)?


>
>
> c)           Carry PSD2 payment service provider registered identifier in
> another field
>
> -            This requires changes to ETSI specifications and also
> acceptance by PSD2 community who need to support the regulation in test
> mode by March 2019.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20181204/82696343/attachment.html>

More information about the Validation mailing list