[cabf_validation] Topic for our next VWG call: LEI

Doug Beattie doug.beattie at globalsign.com
Tue Feb 5 12:21:22 MST 2019

Hi Tim,

I'd like to bring up the topic of LEIs at our VWG call next Thursday.  While the topic was discussed last July (https://cabforum.org/pipermail/public/2018-July/013659.html), I don't feel like we reached an agreement.

The OU fields seems like the most obvious place and the BRs say this about the OU field:

*       The CA SHALL implement a process that prevents an OU attribute from including a name, DBA, tradename, trademark, address, location, or other text that refers to a specific natural person or Legal Entity unless the CA has verified this information in accordance with Section 3.2 and the Certificate also contains subject:organizationName, , subject:givenName, subject:surname, subject:localityName, and subject:countryName attributes, also verified in accordance with Section

I'd like to discuss if the use of LEI identifiers in SSL certificates is compliant with the BRs.  This is a pointer to the Legal Entity data at a point in time (which a CA is obligated to verify at issuance per the definition of OU above), however, LEIs can change over time: https://leismart.com/blog/lei-data-is-not-static/  This means that while the data will be verified by the CA when issued, there is no guarantee that the data remains unchanged/vetted by the CA if it changes.

Is using LEIs in the subject name of SSL certificates permitted?

-------------- next part --------------
A non-text attachment was scrubbed...
Name: winmail.dat
Type: application/ms-tnef
Size: 31496 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/validation/attachments/20190205/d495ead4/attachment-0001.bin>

More information about the Validation mailing list