Subject:organizationIdentifier risk of conflict with ETSI

[chrisbn]

The subject:organizationIdentifier field is mandatory for the organization-validated and sponsor-validated profiles.

Section 7.1.4.2.2 Subject distinguished name fields defines the structure, including "if required under Section 9.2.4, a 2 character ISO 3166-2 identifier for the subdivision (state or province) of the nation in which the Registration Scheme is operated".

e.g. NTRUS+CA-12345678 (NTR Scheme, United States ‐ California, Unique identifier at State level is 12345678)

Qualified certificates intended for email may exist (i.e. including the emailProtection EKU). These would be governed by ETSI 319 412-1, which defines the format of the organizationIdentifier value in section 5.1.4 Legal person semantics identifier.

The 2 character for the subdivision (state or province) is not compatible with the definition of ETSI and may cause conflicts:

"When the legal person semantics identifier is included, any present organizationIdentifier attribute in the subject
field shall contain information using the following structure in the presented order:
• 3 character legal person identity type reference;
• 2 character ISO 3166-1 [2] country code;
• hyphen-minus "-" (0x2D (ASCII), U+002D (UTF-8)); and
• identifier (according to country and identity type reference)."

The example NTRUS+CA doesn't match this format.

This issue also appears to be present in the EV SSL guidelines - however there the field is optional, in the SMIME BRs it's a must.

[srdavidson]

A Change Request is being considered by ETSI.