[cabf_validation] Proposed Update to EV to include OrganisationIdentifier as per ETSI standard

Dimitris Zacharopoulos jimmy at it.auth.gr
Mon Jun 11 06:25:52 MST 2018



On 11/6/2018 4:00 μμ, Ryan Sleevi wrote:
> That seems like a strictly worse proposal, because it does not define 
> any validation requirements. Also, the interpretation of BRs 7.1.4.2.2 
> wasn't aligned with the discussion.
>

My proposal tried to address specific concerns about the "exclusive" use 
of the organizationIdentifier by ETSI. If you are concerned about the 
validation requirements, we should address those but I wouldn't expect 
them to be materially different than the validation of the "Registration 
Number".

> As discussed during the F2F, it seems that there's a far more viable 
> option that's aligned with publicly trusted certificates, namely, that 
> of aligning in the QcStatements. We spent quite some time trying to 
> understand the rationale and necessity of encoding in the subject, as 
> it seemed like it was based on both a misunderstanding of the value 
> proposition and of the technical necessity.
>
> I would again reiterate those concerns, to ask why this information 
> cannot be encoded within the qcStatements.

As you said, both would be "viable" options so there is no 
misunderstanding about the technical necessity. They should both work. I 
believe that since this identifier is very specific information 
directly-coupled with the Subject of the Certificate, it should be in 
the designated extension which is the Subject DN. For me, it doesn't 
make sense to include information related uniquely to the Subject, in 
the qcStatements. All the existing ETSI TS or EN documents related to 
the qcStatements extensions do not contain identifiable information 
related to the Subject. Mr. Pope can correct me if I'm wrong here.


Dimitris.

>
> On Mon, Jun 11, 2018 at 8:23 AM, Dimitris Zacharopoulos via Validation 
> <validation at cabforum.org <mailto:validation at cabforum.org>> wrote:
>
>
>     According to the BRs 7.1.4.2.2:
>
>     "j. Other Subject Attributes All other optional attributes, when
>     present within the subject field, MUST contain information that
>     has been verified by the CA. Optional attributes MUST NOT contain
>     metadata such as '.', '-', and ' ' (i.e. space) characters, and/or
>     any other indication that the value is absent, incomplete, or not
>     applicable."
>
>     This clause allows additional attributes to be added in the
>     subjectDN field. If there is any other clause in the BRs that
>     forbid this or sets additional requirements to "Other Subject
>     Attributes" in the subjectDN, we should also accommodate them but
>     I think mr. Pope's proposal is aligned with the BRs.
>
>     During the F2F,  there were valid arguments that the proposal to
>     add the subject:organizationIdentifier should not depend only to
>     the PSD2 model but should be more broadly applicable. I propose
>     using a more inclusive language:
>
>     --- BEGIN PROPOSED TEXT ---
>     "Proposed additional text for CA/Browser Forum EV Guidelines
>     section 9.2.x:
>
>     *Certificate field*: organizationIdentifier (OID 2.5.4.97)
>     *Required/Optional*: Optional
>     *Contents*: This contains subject additional registration
>     information as required for specific regulatory purposes other
>     than the registration as described in 9.2.6. This field MAY be
>     encoded as specified in ETSI TS 119 412-1 v1.2.1 clause 5.1.4"
>
>     --- END PROPOSED TEXT ---
>
>     This text allows the subject:organizationIdentifier attribute to
>     be used by any Jurisdiction without enforcing specific semantics.
>     Those that want to additionally adhere to the PSD2 directive would
>     request the specific semantics per ETSI TS 119 412-1 v1.2.1 clause
>     5.1.4, including the semanticsIdentifier in the QcStatements
>     extension.
>
>
>     Dimitris.
>
>
>
>     On 11/6/2018 2:23 μμ, Pope, Nick via Validation wrote:
>>
>>     All,
>>
>>     As discussed at last week’s CAB Forum plenary I would like to
>>     propose that  the following text be added to EV Guidelines
>>     section 9.2.x:
>>
>>     Certificate field: organizationIdentifier (OID 2.5.4.97)
>>
>>     Required/Optional: Optional
>>
>>     Contents: This contains subject additional registration
>>     information as required for specific regulatory purposes other
>>     than the registration as described in 9.2.6.  This field shall be
>>     encoded as specified in ETSI TS 119 412-1 v1.2.1 clause 5.1.4. 
>>     This shall not contain registration number from a national trade
>>     register as identified by “NTR” in ETSI TS 119 412-1 v1.2.1
>>     clause 5.1.4.
>>
>>     Before this is submitted to the main list I would welcome any
>>     suggestions regarding changes to this proposal to best fit in
>>     with the CAB Forum approach to validation.
>>
>>     Regards
>>
>>     Nick Pope
>>
>>     ------------------------------------------------------------------------
>>
>>     <http://www.thalesesecurity.com>
>>
>>     *Nick**Pope*
>>     Principal Consultant, Advanced Solutions Group
>>
>>     Tel: +44 1844 203585
>>     Mob: +44 7880 787940
>>
>>     <https://www.twitter.com/thalesesecurity>@thalesesecurity
>>
>>     *Thales eSecurity*
>>     Meadow View House, Long Crendon
>>     Aylesbury HP18 9EQ
>>     United Kingdom
>>
>>     <https://gdpr.thalesesecurity.com/>
>>
>>     www.thalesesecurity.com <http://www.thalesesecurity.com>
>>
>>
>>
>>     _______________________________________________
>>     Validation mailing list
>>     Validation at cabforum.org <mailto:Validation at cabforum.org>
>>     https://cabforum.org/mailman/listinfo/validation
>>     <https://cabforum.org/mailman/listinfo/validation>
>
>
>     _______________________________________________
>     Validation mailing list
>     Validation at cabforum.org <mailto:Validation at cabforum.org>
>     https://cabforum.org/mailman/listinfo/validation
>     <https://cabforum.org/mailman/listinfo/validation>
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20180611/e3b02d2c/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 1385 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/validation/attachments/20180611/e3b02d2c/attachment-0003.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 498 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/validation/attachments/20180611/e3b02d2c/attachment-0004.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.png
Type: image/png
Size: 60612 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/validation/attachments/20180611/e3b02d2c/attachment-0005.png>


More information about the Validation mailing list