[cabf_validation] Proposed Update to EV to include OrganisationIdentifier as per ETSI standard

Ryan Sleevi sleevi at google.com
Mon Jun 11 06:00:50 MST 2018


That seems like a strictly worse proposal, because it does not define any
validation requirements. Also, the interpretation of BRs 7.1.4.2.2 wasn't
aligned with the discussion.

As discussed during the F2F, it seems that there's a far more viable option
that's aligned with publicly trusted certificates, namely, that of aligning
in the QcStatements. We spent quite some time trying to understand the
rationale and necessity of encoding in the subject, as it seemed like it
was based on both a misunderstanding of the value proposition and of the
technical necessity.

I would again reiterate those concerns, to ask why this information cannot
be encoded within the qcStatements.

On Mon, Jun 11, 2018 at 8:23 AM, Dimitris Zacharopoulos via Validation <
validation at cabforum.org> wrote:

>
> According to the BRs 7.1.4.2.2:
>
> "j. Other Subject Attributes All other optional attributes, when present
> within the subject field, MUST contain information that has been verified
> by the CA. Optional attributes MUST NOT contain metadata such as '.', '-',
> and ' ' (i.e. space) characters, and/or any other indication that the value
> is absent, incomplete, or not applicable."
>
> This clause allows additional attributes to be added in the subjectDN
> field. If there is any other clause in the BRs that forbid this or sets
> additional requirements to "Other Subject Attributes" in the subjectDN, we
> should also accommodate them but I think mr. Pope's proposal is aligned
> with the BRs.
>
> During the F2F,  there were valid arguments that the proposal to add the
> subject:organizationIdentifier should not depend only to the PSD2 model but
> should be more broadly applicable. I propose using a more inclusive
> language:
>
> --- BEGIN PROPOSED TEXT ---
> "Proposed additional text for CA/Browser Forum EV Guidelines section 9.2.x:
>
> *Certificate field*: organizationIdentifier (OID 2.5.4.97)
> *Required/Optional*: Optional
> *Contents*: This contains subject additional registration information as
> required for specific regulatory purposes other than the registration as
> described in 9.2.6. This field MAY be encoded as specified in ETSI TS 119
> 412-1 v1.2.1 clause 5.1.4"
>
> --- END PROPOSED TEXT ---
>
> This text allows the subject:organizationIdentifier attribute to be used
> by any Jurisdiction without enforcing specific semantics. Those that want
> to additionally adhere to the PSD2 directive would request the specific
> semantics per ETSI TS 119 412-1 v1.2.1 clause 5.1.4, including the
> semanticsIdentifier in the QcStatements extension.
>
>
> Dimitris.
>
>
>
> On 11/6/2018 2:23 μμ, Pope, Nick via Validation wrote:
>
> All,
>
>
>
> As discussed at last week’s CAB Forum plenary I would like to propose that
>  the following text be added to EV Guidelines section 9.2.x:
>
>
>
> Certificate field: organizationIdentifier (OID 2.5.4.97)
>
> Required/Optional: Optional
>
> Contents: This contains subject additional registration information as
> required for specific regulatory purposes other than the registration as
> described in 9.2.6.  This field shall be encoded as specified in ETSI TS
> 119 412-1 v1.2.1 clause 5.1.4.  This shall not contain registration number
> from a national trade register as identified by “NTR” in ETSI TS 119 412-1
> v1.2.1 clause 5.1.4.
>
>
>
> Before this is submitted to the main list I would welcome any suggestions
> regarding changes to this proposal to best fit in with the CAB Forum
> approach to validation.
>
>
>
> Regards
>
>
>
> Nick Pope
>
>
>
>
> ------------------------------
>
>   <http://www.thalesesecurity.com>
>
> *Nick* *Pope*
> Principal Consultant, Advanced Solutions Group
>
> Tel: +44 1844 203585
> Mob: +44 7880 787940
>
> <https://www.twitter.com/thalesesecurity>@thalesesecurity
>
> *Thales eSecurity*
> Meadow View House, Long Crendon
> Aylesbury HP18 9EQ
> United Kingdom
>
> <https://gdpr.thalesesecurity.com/>
>
> www.thalesesecurity.com
>
>
>
>
> _______________________________________________
> Validation mailing listValidation at cabforum.orghttps://cabforum.org/mailman/listinfo/validation
>
>
>
> _______________________________________________
> Validation mailing list
> Validation at cabforum.org
> https://cabforum.org/mailman/listinfo/validation
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20180611/cee7c4cf/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 498 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/validation/attachments/20180611/cee7c4cf/attachment-0003.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.png
Type: image/png
Size: 60612 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/validation/attachments/20180611/cee7c4cf/attachment-0004.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 1385 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/validation/attachments/20180611/cee7c4cf/attachment-0005.png>


More information about the Validation mailing list