The inclusion of additional information in EV SSL certificates for compliance with EU legal regulations is now allowed

The CA / B Forum, the regulatory body for the SSL industry, accepted Ballot SC17 by a majority vote. According to the new rule, EV SSL certificates may include additional information that allows fulfilling the requirements of EU legislation.

As a result, the rules of the EV Guidelines have been updated. The changes affected several sections, which we will discuss below.

Adding a new section 9.2.8

A new section 9.2.8 has been added, which contains rules for specifying an organisation identifier (Registration Reference). In particular, the requirements for the identifier itself and its registration scheme were specified.

So, organisationIdentifier must be encoded as a PrintableString or UTF8String (see RFC 5280).

In order to be valid, the registration scheme should be presented as follows:

3-character Registration Scheme identifier.
2-character country code in ISO 3166 format, where this registration scheme is valid. If the scheme works globally, then the XG code is used.
For the NTR registration scheme, a 2-character ISO 3166-2 identifier for administrative-territorial units (state or province) where the registration scheme is valid, which must also be preceded by a “+” sign.
The “-” sign (hyphen).

Examples of valid schemes:

NTRGB-12345678 (NTR-scheme, UK)
NTRUS+CA-12345678 (NTR-scheme, US, California).
VATDE-123456789 (VAT-scheme, Germany).

The new requirements also apply to certification authorities. In particular, according to the new rules, they should:

Confirm that the organisation indicated in the identifier corresponds to the organisation in the organisationName field in the context of the jurisdiction of the entity.
Verify that the organisation identifier corresponds to the rest of the information checked in accordance with section 11.
Take appropriate measures to eliminate contradictions between different organisations.
Apply validation rules consistent with the registration scheme.

The rules for validation of registration schemes for certification authorities are described in the new Appendix H in the EV Guidelines.

Adding a new section 9.8.

A new section 9.8 has been added, in which some certificate extensions are listed. Extensions are recommended to ensure maximum compatibility between certificates and browsers/applications. These extensions are not required for certification authorities (with the exception of those that are explicitly marked as required).

Subject Alternative Name extension (required)

This extension must include one or more domain names owned or controlled by the subject, and they must be associated with the server of the subject.

CA / Browser Forum Organisation Identifier field (optional)

Starting from 31 January 2020, if the subject: organisationIdentifier field is present in the certificate, then the _cabfOrganisationIdentifier_ field should also be present.

If the field is present, it must contain a registration identifier for the legal entity, assigned in accordance with the registration scheme.

The registration scheme shall be encoded according to the ASN.1 grammar:

id-CABFOrganisationIdentifier OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) international-organizations(23) ca-browser-forum(140) certificate-extensions(3) cabf-organization-identifier(1) }

ext-CABFOrganisationIdentifier EXTENSION ::= { SYNTAX CABFOrganisationIdentifier IDENTIFIED BY id-CABFOrganisationIdentifier }

CABFOrganisationIdentifier ::= SEQUENCE {

registrationSchemeIdentifier PrintableString (SIZE(3)),

registrationCountry PrintableString (SIZE(2)),

registrationStateOrProvince [0] IMPLICIT PrintableString OPTIONAL (SIZE(0..128)),

registrationReference UTF8String

}

All subfields are subject to the restrictions described in 9.2.8.

Adding appendix H

According to the appendix H, the following registration schemes are currently recognised:

Subscribe to our updates to keep informed of the latest changes in the SSL world and online security.

Новини