You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The subject:organizationIdentifier field is mandatory for the organization-validated and sponsor-validated profiles.
Section 7.1.4.2.2 Subject distinguished name fields defines the structure, including "if required under Section 9.2.4, a 2 character ISO 3166-2 identifier for the subdivision (state or province) of the nation in which the Registration Scheme is operated".
e.g. NTRUS+CA-12345678 (NTR Scheme, United States ‐ California, Unique identifier at State level is 12345678)
Qualified certificates intended for email may exist (i.e. including the emailProtection EKU). These would be governed by ETSI 319 412-1, which defines the format of the organizationIdentifier value in section 5.1.4 Legal person semantics identifier.
The 2 character for the subdivision (state or province) is not compatible with the definition of ETSI and may cause conflicts:
"When the legal person semantics identifier is included, any present organizationIdentifier attribute in the subject
field shall contain information using the following structure in the presented order:
• 3 character legal person identity type reference;
• 2 character ISO 3166-1 [2] country code;
• hyphen-minus "-" (0x2D (ASCII), U+002D (UTF-8)); and
• identifier (according to country and identity type reference)."
The example NTRUS+CA doesn't match this format.
This issue also appears to be present in the EV SSL guidelines - however there the field is optional, in the SMIME BRs it's a must.
The text was updated successfully, but these errors were encountered:
The subject:organizationIdentifier field is mandatory for the organization-validated and sponsor-validated profiles.
Section 7.1.4.2.2 Subject distinguished name fields defines the structure, including "if required under Section 9.2.4, a 2 character ISO 3166-2 identifier for the subdivision (state or province) of the nation in which the Registration Scheme is operated".
e.g. NTRUS+CA-12345678 (NTR Scheme, United States ‐ California, Unique identifier at State level is 12345678)
Qualified certificates intended for email may exist (i.e. including the emailProtection EKU). These would be governed by ETSI 319 412-1, which defines the format of the organizationIdentifier value in section 5.1.4 Legal person semantics identifier.
The 2 character for the subdivision (state or province) is not compatible with the definition of ETSI and may cause conflicts:
"When the legal person semantics identifier is included, any present organizationIdentifier attribute in the subject
field shall contain information using the following structure in the presented order:
• 3 character legal person identity type reference;
• 2 character ISO 3166-1 [2] country code;
• hyphen-minus "-" (0x2D (ASCII), U+002D (UTF-8)); and
• identifier (according to country and identity type reference)."
The example NTRUS+CA doesn't match this format.
This issue also appears to be present in the EV SSL guidelines - however there the field is optional, in the SMIME BRs it's a must.
The text was updated successfully, but these errors were encountered: