[cabf_validation] [EXTERNAL]Re: Including LEIs as extensions in EV certificates

Ryan Sleevi sleevi at google.com
Tue Sep 24 08:46:25 MST 2019


On Tue, Sep 24, 2019 at 11:35 AM Wayne Thayer via Validation <
validation at cabforum.org> wrote:

> I'm running on not much sleep, so it's quite possible that I am [extra]
> confused, however I was literally referring to Tim's ballot proposal:
>
>
> https://github.com/cabforum/documents/compare/master...timfromdigicert:Ballot-LEI?expand=1
>

No worries.

Appendix G (which adds LEI as a registration scheme) slots into
organizationIdentifier (for now), and into Section 9.8.2,
cabfOrganizationIdentifier, which is an extension within the certificate
itself (i.e. instead of using the X.500 organizationIdentifier attribute)

Effective 2020-Jan-1, CAs including PSD2 information MUST use the extension
if the organizationIdentifier is to be filled.

This creates the path for either ETSI ESI to transition to the extension or
for browsers to eventually reject certificates (and CAs) that include the
information in the Subject. By mandating the extension is present, it
ensures that the use of the Subject field is only temporary, and only until
ETSI ESI can update, or alternative schemes for meeting the eIDAS
Regulation are developed (e.g. using something other than ETSI ESI's
materials)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20190924/25c70c17/attachment-0001.html>


More information about the Validation mailing list