The certificate authorities should carefully follow standards and regulations to issue valid certificates. This is especially true for relatively new PSD2 certificates. This article highlights the consequences of a change in the requirements through a recent example.
For a couple of months the certificate authorities couldn’t issue QWAC PSD2 certificates with the ETSI TS 119 495 and the CA/BF EV Guideline requirements. How could this happen?
The European Union introduced qualified website authentication certificates (QWAC) in the eIDAS Regulation in 2014. Technically the QWAC requirements are based on the CA/Browser Forum (CA/BF) Extended Validation (EV) Certificate Guideline and intended to be fully upper compatible with the EV certificates, but ETSI has set up some further requirements. TS 119 495 is a further specialization of the QWAC certificates dedicated for payment services according to the EU PSD2 Directive.
The issuance problem was caused by these requirements’ inconsistency.
CA/BF updates the requirements system from time to time. The changes are discussed within a consultation and followed by a vote by the forum members. The update 16 was interesting.
The PSD2 certificates need to consist the Organization Identifier field in the Subject DN field, which contains PSD2 specific data of the Organization. In the SC16 ballot the usage of this field become forbidden in the EV certificates. In this version the EV guideline definitely states that only the listed fields may be used in the Subject DN field and the list doesn't contain the Organization Identifier field.
So there was a contradiction between the requirements (ETSI and CABF). There was no solution to issue a valid PSD2 QWAC certificate which meet the EV requirements as well, while this ballot was the active version.
In addition to two abstentions, the forum members voted for this amendment without any objection.
Almost at the moment of the SC16 voting, the discussion of the new amendment has already begun.
“Purpose of the Ballot: Allow for the inclusion of additional information in certificates in order to comply with relevant EU regulations.”
The final version of the ballot provides the possibility to issue QWAC PSD2 certificates again with the ETSI and the CA/BF requirements. The ballot’s motivation part is quite long and it provides great summary about the connection between CABF and ETSI requirements.
Between the first modification (SC16) vote and the correctional update vote (SC17) almost passed 2 months. The QWAC PSD2 certificate issuance with the EV Guideline compatibility was unavailable between the 2 ballots’ publishing time. A small change in the set of requirements from different organizations can make it impossible to issue certain types of certificates at any time.
Author: Pál CSUVARSZKI
© 2019 Microsec ltd. | Company registration number: 01-10-047218 | Tax number: 23584497-2-41