[cabf_validation] [EXTERNAL]Re: Including LEIs as extensions in EV certificates

Doug Beattie doug.beattie at globalsign.com
Tue Sep 24 09:17:17 MST 2019 

The thread has gone in many directions and I’m not sure where we stand.  It seems like there is general support for including LEI as Registration Scheme in organizationIdentifier and that root programs won’t distrust the CA or certificate if it’s done that way.  Wayne/Ryan: Is that  right?  

 

From: Validation <validation-bounces at cabforum.org> On Behalf Of Ryan Sleevi via Validation
Sent: Tuesday, September 24, 2019 11:46 AM
To: Wayne Thayer via Validation <validation at cabforum.org>
Subject: Re: [cabf_validation] [EXTERNAL]Re: Including LEIs as extensions in EV certificates

 

 

 

On Tue, Sep 24, 2019 at 11:35 AM Wayne Thayer via Validation <validation at cabforum.org <mailto:validation at cabforum.org> > wrote:

I'm running on not much sleep, so it's quite possible that I am [extra] confused, however I was literally referring to Tim's ballot proposal: 

https://github.com/cabforum/documents/compare/master...timfromdigicert:Ballot-LEI?expand=1

 

No worries.

 

Appendix G (which adds LEI as a registration scheme) slots into organizationIdentifier (for now), and into Section 9.8.2, cabfOrganizationIdentifier, which is an extension within the certificate itself (i.e. instead of using the X.500 organizationIdentifier attribute)

 

Effective 2020-Jan-1, CAs including PSD2 information MUST use the extension if the organizationIdentifier is to be filled.

 

This creates the path for either ETSI ESI to transition to the extension or for browsers to eventually reject certificates (and CAs) that include the information in the Subject. By mandating the extension is present, it ensures that the use of the Subject field is only temporary, and only until ETSI ESI can update, or alternative schemes for meeting the eIDAS Regulation are developed (e.g. using something other than ETSI ESI's materials)

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20190924/58ae600b/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5701 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/validation/attachments/20190924/58ae600b/attachment-0001.p7s>

More information about the Validation mailing list