[cabf_validation] [EXTERNAL]Re: Including LEIs as extensions in EV certificates

Wayne Thayer wthayer at mozilla.com
Tue Sep 24 08:56:19 MST 2019


Ah, okay. Then I'm not terribly confused - I had just forgotten the
requirement to place the info in both the Subject and an extension.

On Tue, Sep 24, 2019 at 5:47 PM Ryan Sleevi via Validation <
validation at cabforum.org> wrote:

>
>
> On Tue, Sep 24, 2019 at 11:35 AM Wayne Thayer via Validation <
> validation at cabforum.org> wrote:
>
>> I'm running on not much sleep, so it's quite possible that I am [extra]
>> confused, however I was literally referring to Tim's ballot proposal:
>>
>>
>> https://github.com/cabforum/documents/compare/master...timfromdigicert:Ballot-LEI?expand=1
>>
>
> No worries.
>
> Appendix G (which adds LEI as a registration scheme) slots into
> organizationIdentifier (for now), and into Section 9.8.2,
> cabfOrganizationIdentifier, which is an extension within the certificate
> itself (i.e. instead of using the X.500 organizationIdentifier attribute)
>
> Effective 2020-Jan-1, CAs including PSD2 information MUST use the
> extension if the organizationIdentifier is to be filled.
>
> This creates the path for either ETSI ESI to transition to the extension
> or for browsers to eventually reject certificates (and CAs) that include
> the information in the Subject. By mandating the extension is present, it
> ensures that the use of the Subject field is only temporary, and only until
> ETSI ESI can update, or alternative schemes for meeting the eIDAS
> Regulation are developed (e.g. using something other than ETSI ESI's
> materials)
> _______________________________________________
> Validation mailing list
> Validation at cabforum.org
> https://cabforum.org/mailman/listinfo/validation
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20190924/76db1b42/attachment.html>


More information about the Validation mailing list