[cabf_validation] Proposed Update to EV to include OrganisationIdentifier as per ETSI standard

Tim Hollebeek tim.hollebeek at digicert.com
Mon Jun 11 11:17:20 MST 2018

So jurisdictionOfIncorporation doesn’t disambiguate, as DigiCert issues tons of non-ETSI certificates for subjects in such jurisdictions.  You really need the qc OID or something similar either instead of or as well as jOI.




From: Validation [mailto:validation-bounces at cabforum.org] On Behalf Of Dimitris Zacharopoulos via Validation
Sent: Monday, June 11, 2018 12:48 PM
To: Ryan Sleevi <sleevi at google.com>
Cc: CA/Browser Forum Validation WG List <validation at cabforum.org>
Subject: Re: [cabf_validation] Proposed Update to EV to include OrganisationIdentifier as per ETSI standard



On 11/6/2018 7:32 μμ, Ryan Sleevi wrote:

2) For the ETSI case, it doesn't prevent other organizations for issuing in this in a way that can be seen as confusing/misleading

I do not agree with this interpretation. It is no more "confusing/misleading" than the serialNumber attribute. For Subscribers that want to abide by some kind of regulation that requires the organizationIdentifier field to be completed in a semantic-specific way, the associated TSP will know how to encode this information in the Certificate. IMHO there is no need to add more complex rules (like describing the entire ETSI qcStatements requirements) in the EV guidelines. A simple reference to the relevant ETSI documents and a "MAY", should be sufficient.


Except the serialNumber has a defined context to disambiguate, as was also pointed out in the F2F - namely, that jurisdictionOfIncorporation serves to disambiguate the context of the serialNumber is an extensible and unambiguous way that is unified.

I can now see clearer the concerns you raised related to the serialNumber. Even though the serialNumber field doesn't contain specific semantics, its combination with the jurisdictionOfIncorporation fields disambiguate the information. If we leave the organizationIdentifier without semantics, we create the same problem. Makes more sense now and can see the clear preference of mr. Pope's proposal.

Thanks for your patience and this nice discussion :)


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20180611/edc3abdf/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4940 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/validation/attachments/20180611/edc3abdf/attachment.p7s>

More information about the Validation mailing list