[cabf_validation] OrganisationIdentifier mandated by ETSI TS 119 495

Mon Nov 5 02:37:52 MST 2018

Just to provide a wider picture of the implications (to those who are 
interested in this topic):

Not only is the organizationIdentifier attribute required by ETSI TS 119 
495 (*): its presence in the QWAC certificate is also taken for granted 
by the "Implementation Guidelines" published by the Berlin Group 
(https://www.berlin-group.org/nextgenpsd2-downloads). And I suppose that 
several major banks and other fintech companies are currently developing 
and/or integrating APIs based on those guidelines.

So... it looks like a time bomb.

Adriano

(*) Which, to my understanding, technically implements the requirements 
of Art. 34 of the COMMISSION DELEGATED REGULATION (EU) 2018/389 of 27 
November 2017.

Il 29/10/2018 22:16, Tim Hollebeek ha scritto:
>
> It’s more or less what happened to them the last time this topic came 
> up.  If you have concrete proposals, I know they’d love to hear them.
>
> -Tim
>
> *From:* Ryan Sleevi <sleevi at google.com>
> *Sent:* Monday, October 29, 2018 5:12 PM
> *To:* Tim Hollebeek <tim.hollebeek at digicert.com>
> *Cc:* CA/Browser Forum Validation WG List <validation at cabforum.org>; 
> Adriano Santoni - Actalis S.p.A. <adriano.santoni at staff.aruba.it>
> *Subject:* Re: [cabf_validation] OrganisationIdentifier mandated by 
> ETSI TS 119 495
>
> Tim,
>
> As a TS document, we can instead work with ETSI to help do things in a 
> less-risky, more compatible way. I think it'd be a great misfortune 
> and extreme misrepresentation to suggest its telling them to "pound sand".
>
> On Mon, Oct 29, 2018 at 5:05 PM Tim Hollebeek 
> <tim.hollebeek at digicert.com <mailto:tim.hollebeek at digicert.com>> wrote:
>
>     We can tell roughly 10% of the world’s population and their
>     elected representatives to go pound sand, or we can work together
>     with them to explore whether there are reasonable accommodations
>     we can make that almost everyone can live with.
>
>     There’s no reason why certificates shouldn’t be able to contain
>     additional standardized identity information, as long as the
>     normal check-boxes get ticked (for example, auditable rules about
>     how such information is validated).
>
>     -Tim
>
>     *From:* Validation <validation-bounces at cabforum.org
>     <mailto:validation-bounces at cabforum.org>> *On Behalf Of *Ryan
>     Sleevi via Validation
>     *Sent:* Monday, October 29, 2018 10:15 AM
>     *To:* Adriano Santoni - Actalis S.p.A.
>     <adriano.santoni at staff.aruba.it
>     <mailto:adriano.santoni at staff.aruba.it>>; CA/Browser Forum
>     Validation WG List <validation at cabforum.org
>     <mailto:validation at cabforum.org>>
>     *Subject:* Re: [cabf_validation] OrganisationIdentifier mandated
>     by ETSI TS 119 495
>
>     On Sun, Oct 28, 2018 at 6:45 AM Adriano Santoni via Validation
>     <validation at cabforum.org <mailto:validation at cabforum.org>> wrote:
>
>         All,
>
>         from the past discussion on this topic, it seems to me that
>         the inclusion of the the organizationIdentifier attribute (OID
>         2.5.4.97) in the Subject of an EV cert could presently be
>         regarded as a misissuance. I am not sure if this was expressly
>         pointed out, but it seems to follow from the discussion. This
>         interpretation also seems to be corroborated by the current
>         wording in EVGL §9.2.8 ("CAs ... SHALL NOT include any Subject
>         Organization Information except as specified in Section 9.2").
>
>         That, in turn, implies that QWACs cannot contain the
>         organizationIdentifier attribute, lest they do not comply with
>         the EVGLs (and therefore are not QWACs).
>
>         However the Payment Services Directive 2 (PSD2) requires
>         QWACS, and the ETSI TS 119 495 technical specification
>         ("Qualified Certificate Profiles and TSP Policy Requirements
>         under the payment services Directive (EU) 2015/236"), mandates
>         in §5.3 the inclusion of the organizationIdentifier attribute
>         in QWACs: "The organizationIdentifier shall be present in the
>         Subject's Distinguished Name and encoded with legal person
>         syntax....".
>
>         So, If I am not mistaking or overlooking anything, the puzzle
>         pieces do not fit together very well...
>
>         Now, financial institutions are already experimenting with
>         Open Banking, and for the time being they just need test (i.e.
>         untrusted) PSD2 certificates , so I guess it's not a problem
>         if they contain the organizationIdentifier attribute. But in
>         the not too far future, production (i.e. trusted) PSD2
>         certificates will be required.... Somehow this inconsistency
>         must be fixed, or CAs will not be able to issue PSD2 QWACs
>         without infringing the EVGLs.
>
>     You are correct. However, they can issue from privately trusted
>     hierarchies, just like other forms of national identifiers for
>     purposes of identity do (for example, in the US, Brazil, India,
>     South Korea, etc).
>
>     If the goal is to harmonize PSD2 with the requirements for
>     publicly trusted and accepted, then TS 119 495 needs to change to
>     reflect those constraints, much like any other certificate profile
>     for a restricted community would.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20181105/864e6bdc/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3849 bytes
Desc: Firma crittografica S/MIME
URL: <http://cabforum.org/pipermail/validation/attachments/20181105/864e6bdc/attachment.p7s>