[cabf_validation] OrganisationIdentifier mandated by ETSI TS 119 495

Ryan Sleevi sleevi at google.com
Mon Oct 29 14:11:36 MST 2018


As a TS document, we can instead work with ETSI to help do things in a
less-risky, more compatible way. I think it'd be a great misfortune and
extreme misrepresentation to suggest its telling them to "pound sand".

On Mon, Oct 29, 2018 at 5:05 PM Tim Hollebeek <tim.hollebeek at digicert.com>

> We can tell roughly 10% of the world’s population and their elected
> representatives to go pound sand, or we can work together with them to
> explore whether there are reasonable accommodations we can make that almost
> everyone can live with.
> There’s no reason why certificates shouldn’t be able to contain additional
> standardized identity information, as long as the normal check-boxes get
> ticked (for example, auditable rules about how such information is
> validated).
> -Tim
> *From:* Validation <validation-bounces at cabforum.org> *On Behalf Of *Ryan
> Sleevi via Validation
> *Sent:* Monday, October 29, 2018 10:15 AM
> *To:* Adriano Santoni - Actalis S.p.A. <adriano.santoni at staff.aruba.it>;
> CA/Browser Forum Validation WG List <validation at cabforum.org>
> *Subject:* Re: [cabf_validation] OrganisationIdentifier mandated by ETSI
> TS 119 495
> On Sun, Oct 28, 2018 at 6:45 AM Adriano Santoni via Validation <
> validation at cabforum.org> wrote:
> All,
> from the past discussion on this topic, it seems to me that the inclusion
> of the the organizationIdentifier attribute (OID in the Subject
> of an EV cert could presently be regarded as a misissuance. I am not sure
> if this was expressly pointed out, but it seems to follow from the
> discussion. This interpretation also seems to be corroborated by the
> current wording in EVGL §9.2.8 ("CAs ... SHALL NOT include any Subject
> Organization Information except as specified in Section 9.2").
> That, in turn, implies that QWACs cannot contain the
> organizationIdentifier attribute, lest they do not comply with the EVGLs
> (and therefore are not QWACs).
> However the Payment Services Directive 2 (PSD2) requires QWACS, and the
> ETSI TS 119 495 technical specification ("Qualified Certificate Profiles
> and TSP Policy Requirements under the payment services Directive (EU)
> 2015/236"), mandates in §5.3 the inclusion of the organizationIdentifier
> attribute in QWACs: "The organizationIdentifier shall be present in the
> Subject's Distinguished Name and encoded with legal person syntax....".
> So, If I am not mistaking or overlooking anything, the puzzle pieces do
> not fit together very well...
> Now, financial institutions are already experimenting with Open Banking,
> and for the time being they just need test (i.e. untrusted) PSD2
> certificates , so I guess it's not a problem if they contain the
> organizationIdentifier attribute. But in the not too far future, production
> (i.e. trusted) PSD2 certificates will be required.... Somehow this
> inconsistency must be fixed, or CAs will not be able to issue PSD2 QWACs
> without infringing the EVGLs.
> You are correct. However, they can issue from privately trusted
> hierarchies, just like other forms of national identifiers for purposes of
> identity do (for example, in the US, Brazil, India, South Korea, etc).
> If the goal is to harmonize PSD2 with the requirements for publicly
> trusted and accepted, then TS 119 495 needs to change to reflect those
> constraints, much like any other certificate profile for a restricted
> community would.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20181029/84a7150a/attachment-0001.html>

More information about the Validation mailing list