[cabf_validation] OrganisationIdentifier mandated by ETSI TS 119 495

Tim Hollebeek tim.hollebeek at digicert.com
Mon Oct 29 14:05:49 MST 2018

We can tell roughly 10% of the world’s population and their elected representatives to go pound sand, or we can work together with them to explore whether there are reasonable accommodations we can make that almost everyone can live with.


There’s no reason why certificates shouldn’t be able to contain additional standardized identity information, as long as the normal check-boxes get ticked (for example, auditable rules about how such information is validated).




From: Validation <validation-bounces at cabforum.org> On Behalf Of Ryan Sleevi via Validation
Sent: Monday, October 29, 2018 10:15 AM
To: Adriano Santoni - Actalis S.p.A. <adriano.santoni at staff.aruba.it>; CA/Browser Forum Validation WG List <validation at cabforum.org>
Subject: Re: [cabf_validation] OrganisationIdentifier mandated by ETSI TS 119 495



On Sun, Oct 28, 2018 at 6:45 AM Adriano Santoni via Validation <validation at cabforum.org <mailto:validation at cabforum.org> > wrote:


from the past discussion on this topic, it seems to me that the inclusion of the the organizationIdentifier attribute (OID in the Subject of an EV cert could presently be regarded as a misissuance. I am not sure if this was expressly pointed out, but it seems to follow from the discussion. This interpretation also seems to be corroborated by the current wording in EVGL §9.2.8 ("CAs ... SHALL NOT include any Subject Organization Information except as specified in Section 9.2").

That, in turn, implies that QWACs cannot contain the organizationIdentifier attribute, lest they do not comply with the EVGLs (and therefore are not QWACs).

However the Payment Services Directive 2 (PSD2) requires QWACS, and the ETSI TS 119 495 technical specification ("Qualified Certificate Profiles and TSP Policy Requirements under the payment services Directive (EU) 2015/236"), mandates in §5.3 the inclusion of the organizationIdentifier attribute in QWACs: "The organizationIdentifier shall be present in the Subject's Distinguished Name and encoded with legal person syntax....".

So, If I am not mistaking or overlooking anything, the puzzle pieces do not fit together very well...

Now, financial institutions are already experimenting with Open Banking, and for the time being they just need test (i.e. untrusted) PSD2 certificates , so I guess it's not a problem if they contain the organizationIdentifier attribute. But in the not too far future, production (i.e. trusted) PSD2 certificates will be required.... Somehow this inconsistency must be fixed, or CAs will not be able to issue PSD2 QWACs without infringing the EVGLs.

You are correct. However, they can issue from privately trusted hierarchies, just like other forms of national identifiers for purposes of identity do (for example, in the US, Brazil, India, South Korea, etc).


If the goal is to harmonize PSD2 with the requirements for publicly trusted and accepted, then TS 119 495 needs to change to reflect those constraints, much like any other certificate profile for a restricted community would.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20181029/654b44ff/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4940 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/validation/attachments/20181029/654b44ff/attachment.p7s>

More information about the Validation mailing list