[cabf_validation] OrganisationIdentifier mandated by ETSI TS 119 495

Ryan Sleevi sleevi at google.com
Mon Oct 29 07:15:03 MST 2018


On Sun, Oct 28, 2018 at 6:45 AM Adriano Santoni via Validation <
validation at cabforum.org> wrote:

> All,
>
> from the past discussion on this topic, it seems to me that the inclusion
> of the the organizationIdentifier attribute (OID 2.5.4.97) in the Subject
> of an EV cert could presently be regarded as a misissuance. I am not sure
> if this was expressly pointed out, but it seems to follow from the
> discussion. This interpretation also seems to be corroborated by the
> current wording in EVGL §9.2.8 ("CAs ... SHALL NOT include any Subject
> Organization Information except as specified in Section 9.2").
>
> That, in turn, implies that QWACs cannot contain the organizationIdentifier
> attribute, lest they do not comply with the EVGLs (and therefore are not
> QWACs).
>
> However the Payment Services Directive 2 (PSD2) requires QWACS, and the
> ETSI TS 119 495 technical specification ("Qualified Certificate Profiles
> and TSP Policy Requirements under the payment services Directive (EU)
> 2015/236"), mandates in §5.3 the inclusion of the organizationIdentifier
> attribute in QWACs: "The organizationIdentifier shall be present in the
> Subject's Distinguished Name and encoded with legal person syntax....".
>
> So, If I am not mistaking or overlooking anything, the puzzle pieces do
> not fit together very well...
>
> Now, financial institutions are already experimenting with Open Banking,
> and for the time being they just need test (i.e. untrusted) PSD2
> certificates , so I guess it's not a problem if they contain the
> organizationIdentifier attribute. But in the not too far future, production
> (i.e. trusted) PSD2 certificates will be required.... Somehow this
> inconsistency must be fixed, or CAs will not be able to issue PSD2 QWACs
> without infringing the EVGLs.
>
You are correct. However, they can issue from privately trusted
hierarchies, just like other forms of national identifiers for purposes of
identity do (for example, in the US, Brazil, India, South Korea, etc).

If the goal is to harmonize PSD2 with the requirements for publicly trusted
and accepted, then TS 119 495 needs to change to reflect those constraints,
much like any other certificate profile for a restricted community would.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20181029/298d3732/attachment.html>


More information about the Validation mailing list