Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add "organizationIdentifier" as alternative Issuer identification and key resolution with X.509 certificates #110

Open
hesusruiz opened this issue Aug 24, 2024 · 0 comments
Open

Add "organizationIdentifier" as alternative Issuer identification and key resolution with X.509 certificates #110

hesusruiz opened this issue Aug 24, 2024 · 0 comments

Comments

@hesusruiz
Copy link

hesusruiz commented Aug 24, 2024
edited
Loading

An additional possibility for using X.509 certificates may be added in section 7.1 Issuer identification and key resolution to validate an issued Credential, using the organizationIdentifier (OID 2.5.4.97) in the leaf certificate, as an alternative to the dNSName SAN.

At least in the EU, the organizationIdentifier is compulsory in the subject field of eIDAS digital certificates for legal persons issued by a QTSP, as specified in ETSI EN 319 412-3 V1.2.1 (2020-07) and following Recommendation ITU-T X.520.

ETSI defines the organizationIdentifier with simple but extensible schema which currently can represent:

  • VAT for identification based on a national value added tax identification number.
  • LEI for a global Legal Entity Identifier as specified in ISO 17442.
  • PSD for identification based on the national authorization number of a payment service provider under Payments Services Directive (EU).
  • NTR for identification based on an identifier from a national trade register.

Almost every legal document in use today involving legal entities (contracts, invoices, payments ...) include one of those identifiers in the text of the document, not only in the EU but elsewhere. This makes it very easy to verify that the signer is the same legal entity identified in the document (the organizationIdentifier matches the identifier used in the document).

I suggest to have the same possibility for SD-JWT VCs:

  • x.509 certificates: the SD-JWT VC contains the issuer's certificate along with a trust chain in the x5c JOSE header. If the issuer's certificate includes the organizationIdentifier (OID 2.5.4.97) attribute in the subject field, the iss value MUST be an identifier matching the issuer's organizationIdentifier. Otherwise ...

I used the word "MUST" above because IMO if the certificate already includes an organizationIdentifier it should be the preferred option, because if the certificate was issued according to some regulatory framework in some jurisdiction, that means that most probably the organizationIdentifier is the one used in the business registry of the jurisdiction (or any other source of trust) and in the powers of attorney that provides the power to the legal representative of the legal entity. Matching the iss with the organizationIdentifier increases the legal certainty associated to the verification of the SD-JWT VC.

Of course, it could be just another option and the issuer may choose.
@hesusruiz hesusruiz changed the title Add alternative Issuer identification and key resolution with X.509 certificates Add "organizationIdentifier" as alternative Issuer identification and key resolution with X.509 certificates Aug 24, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@hesusruiz