[cabf_validation] Topic for our next VWG call: LEI
doug.beattie at globalsign.com
Tue Feb 5 12:21:22 MST 2019
I'd like to bring up the topic of LEIs at our VWG call next Thursday. While the topic was discussed last July (https://cabforum.org/pipermail/public/2018-July/013659.html), I don't feel like we reached an agreement.
The OU fields seems like the most obvious place and the BRs say this about the OU field:
* The CA SHALL implement a process that prevents an OU attribute from including a name, DBA, tradename, trademark, address, location, or other text that refers to a specific natural person or Legal Entity unless the CA has verified this information in accordance with Section 3.2 and the Certificate also contains subject:organizationName, , subject:givenName, subject:surname, subject:localityName, and subject:countryName attributes, also verified in accordance with Section 22.214.171.124.
I'd like to discuss if the use of LEI identifiers in SSL certificates is compliant with the BRs. This is a pointer to the Legal Entity data at a point in time (which a CA is obligated to verify at issuance per the definition of OU above), however, LEIs can change over time: https://leismart.com/blog/lei-data-is-not-static/ This means that while the data will be verified by the CA when issued, there is no guarantee that the data remains unchanged/vetted by the CA if it changes.
Is using LEIs in the subject name of SSL certificates permitted?
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 31496 bytes
Desc: not available
More information about the Validation