Main section
EUID: How Your Digital Certificates Become Even More Trustworthy – The New Globally Unique Organization Identifier
Digital certificates are not just technical data packages, they certify the identity of the certificate holder. SwissSign therefore offers the option of including an organisation as part of the identity within its certificate product portfolio.
The standard for email certificates requires that a registration number must be entered for certificates issued to companies. German commercial register numbers are a challenge in this regard, as each commercial register operates locally and maintains its own numbering system. This problem can be solved with the "European Unique Identifier" (EUID) of the European Union. SwissSign contributes to the community regarding this issue and is taking a leading role.
Are you using SwissSign certificates for email signing and encryption? Then you might be interested in this background report on the topic of registration numbers and how they can be used meaningfully in certificates. Same as SSL/TLS certificates, email certificates (also known as "S/MIME certificates") are used in the Internet.
First regulation of S/MIME certificates in September 2023
The body that regulates S/MIME certificates is called the "CA/Browser Forum" (CABF). Here, certificate authorities (CAs) and browser manufacturers come together. Unlike SSL/TLS certificates, which the CA/B has been dealing with for a long time, the standard for email certificates, the "S/MIME Baseline Requirements" (S/MIME BR), only came into force in the autumn of 2023.
This was a milestone for the international standardisation of S/MIME certificates - SwissSign had contributed to this standardisation over months and years. The new regulation defines, among other things, the types of S/MIME certificates: there are certificates with and without a person as the certificate holder, as well as those with and without an organisation entry (and the corresponding combinations).
Identity, name and distinctiveness
A digital certificate is not just a technical data package, it contains the name of the certificate holder (also called the "Subject") and certifies the holder's identity. Depending on the identity, there are different requirements for the name entered in the certificate and the scope of the name attributes, i.e. the parts that make up the name. For secure email signature and encryption certificates, this looks as follows:
The SwissSign product "Personal S/MIME E-Mail ID Silver" is issued only to an email address. Therefore, only this email address is entered in the name field of the certificate, for example "CommonName = [email protected]" ("Common Name" is often abbreviated as 'CN').
The SwissSign product "Pro S/MIME E-Mail ID Gold" has the same purpose, but it is issued to a person who is part of an organization (typically an employee). The name is therefore more extensive. Example:
CommonName = John Doe
givenName = John
surname = Doe
Email = [email protected]
Organization = SwissSign AG
OrganizationIdentifier (2.5.4.97) = NTRCH-CHE-109.357.012
StateOrProvince = ZH
Country = CH
The name contains information about John Doe as well as his organisation SwissSign AG.
By the way, it is essential that each of the mentioned name attributes has been validated.
Furthermore, the entire name, i.e. the combination of the name attributes, is only assigned to one certificate holder and therefore unique for this holder.
A new internationally harmonised organisation identifier for more compatibility
In particular, the certificates containting an organisation name are a particular challenge. These are the certificate types
-
"Sponsor Validated" (SV), which is issued to a person as an employee of an organisation in addition to the email address (available as the "Pro S/MIME Email ID Gold" product) and
-
"Organization Validated" (OV), which is issued to the organisation itself (you will be able to obtain this product from SwissSign until the end of the year).
Here, a new attribute in the name of the holder ("Subject") is mandatory. It is called "OrganizationIdentifier". It is used not only in email certificates, but also in certificates that comply with the EU eIDAS ordinance or with the Swiss signature law ZertES.
This attribute is constructed with a prefix including the country code. As an illustrative example, the entry for SwissSign AG is given here. This is NTRCH-CHE-109.357.012.
-
The first three letters indicate the subsequent sub-schema used. 'NTR' means "National Trade Register," which in many countries is equivalent to the commercial register.
-
'CH' is a standardised country code and stands for Switzerland ('Confoederatio Helvetica').
-
separated by the hyphen '-' the mentioned commercial register number follows.
Due to the prefix structure, this OrganizationIdentifier is therefore globally unique. Depending on whether the identified organisation is
-
A company or other private organisation,
-
a public authority or
-
an international organisation
the structure of the identifier can vary.
What is the advantage of such a unique identifier? Certificates are always issued in such a way that they can be clearly attributed to the holder - for example, the organisation. This is done using various name attributes, in addition to the company name, for example, the country in which the company is based. However, the combination of various technical attributes is cumbersome, and such attributes can change, for example, in the case of a change of name of the company. Such unique identifiers therefore reduce complexity in the digital world and are also used in automated transaction processing.
The problem: No uniqueness in Germany
For government agencies and international organisations, specific challenges regarding organisation identifiers, but in this article we focus on companies and private organizations in general.
For private organisations, there are several options for available identifiers. However, these are either not widely used (e.g. the "Legal Entity Identifier" - LEI used in the financial sector) or are a challenge in terms of verifiability and persistence. While Value Added Tax (VAT) numbers are issued in almost every country, the registers are not publicly accessible, and not all organiaations have such a number. In addition, a company can be released from VAT obligations and therefore lose its VAT number.
The above-mentioned scheme with NTR (National Trade Register Number) is therefore the only comprehensive and practical solutions for companies.
The trade registers used for this purpose are often located at the regional level, but the number assigned is almost always unique at the national level. Example Switzerland: The maintenance of trade registers is the responsibility of the cantons (federal states). In the above example, SwissSign AG is registered in the trade register of the canton of Zurich with the registration number CHE-109.357.012. This number is an "Enterprise Identification Number" (in German "Unternehmens-Identifikationsnummer" UID) issued by the Swiss Federal Statistical Office. It is not only used as a trade register number, but also as an identifier in other government registers, for example, it is also used as a VAT number. It is therefore harmonised and unambiguous throughout Switzerland for all commercial registers (and other government company registers). Even if the company moves to a different canton, this number does not change and continues to identify the company in the commercial register of the new canton.
The same applies to the vast majority of countries around the world. However, there are a few exceptions to this principle of nationwide unique business registry numbers: in the US and Canada, the numbers are not issued nationwide, but on the level of the federal states.
This problem is solved in the OrganizationIdentifier by not only requiring the standard code (ISO 3166-1) for the country USA or Canada, but also by including the code for the state (ISO 3166-2) as well. Examples:
-
NTRUS+NY-123456 (The company is based in the US ('US') in the state of New York 'NY')
-
NTRCA+QC-123456 (The company is based in Canada ('CA') in the province of Quebec 'QC')
Another exception to the nationwide unique business registry number is Germany. Including the federal state or its standardised code, as for to the above-described North American states, does not solve the problem here. Reason: The commercial registers are managed by district courts, and there are usually several such registers per federal state. The German business registry number is therefore issued on a purely regional level and is only unique within the number range of the district court.
For example, in North Rhine-Westphalia, an HR number is used multiple times due to the large number of district courts. Therefore, the number NTRDE-123456 in a certificate would be confusing, as the company still cannot be clearly associated with it. The above approach for US and Canadian companies by adding the state in the OrganizationIdentifier, i.e. NTRDE+NW123456 with 'NW' for North Rhine-Westphalia, does not solve the problem either.
Nevertheless, regional registry numbers were inserted into certificates as if they were national identifiers, which led to confusion (interested readers can find an example at https://bugzilla.mozilla.org/show_bug.cgi?id=1917405). To avoid further inconsistencies, the CA/Browser Forum had no choice but to change the SMIME BR so that the uniqueness of the (organization) entries in OrganizationIdentifier is no longer required.
The solution: "European Unique Identifier" (EUID)
Even before the S/MIME BR came into effect, CAs from the German-speaking region had already taken up the issue under the leadership of SwissSign. Together with D-Trust (Federal Printing Office) and Deutsche Telekom Security GmbH (T-Systems), SwissSign has developed a solution; the SwissSign Conformity Assessment Body, TÜV Trust IT, also provided decisive input.
The "European Unique Identifier," abbreviated EUID was identified as the best solution.EUID is not to be confused with EUDI, which stands for "European Digital Identity" (and in where SwissSign also plays an active role).
The EUID is set and regulated by an EU "Implementation Regulation," which you can find here (see section 9 of the Annex).
The system is based on adding a prefix to the commercial register number. The prefix indicates the commercial register. The compound number (prefix and CR number) that is inserted into the NTR scheme of the OrganizationIdentifier.
Example: "DE-R3306.HRB66812". 'DE' stands for Germany, 'R3306' is the EUID standardised code for the District Court of Cologne and "HRB66812" is the number assigned by this court to the registered legal entity. This number is therefore unique throughout Germany, and the OrganizationIdentifier "NTRDE-DE-R3306.HRB66812" is unique worldwide.
The list of such prefixes is maintained by official bodies. This ensures not only the said unambiguity, but also the reliability and consistency of the system. As a result of these advantages, the EUID is increasingly gaining attention in the certificates.
The S/MIME BR was updated by SwissSign together with the US CA DigiCert and the Italian CA Actalis to explicitly recommend and explain the EUID. You can find the lively discussion on this topic here: https://github.com/cabforum/smime/issues/263.
The European Telecommunications Standards Institute (ETSI) has also recognised the importance of the EUID. ETSI develops various standards for the electronic world, for example the requirements for digital certificates and electronic signatures. The Working Group on "Electronic Signatures and Trust Infrastructures (ESI)" has also discovered the advantages of the EUID. The new (draft) version of the standard (ETSI EN 319,412-1), which defines OrganizationIdentifier, now also explicitly mentions the EUID. SwissSign has therefore bet on the right horse and set the right course early on.
Conclusion: More credibility through engagement in the CA community
The commercial register number is increasingly used in public key certificates. The special challenges in Germany in this regard can be elegantly solved with the "European Unique Identifier" (EUID). This approach, which is promoted by SwissSign, is spreading in the certificate world.
It is evident that SwissSign's proximity to the German market and its knowledge of its particularities are paying off. While many providers have so far ignored the peculiarities of the German commercial register system, CAs from the German-speaking region have addressed these early on. We would be happy to advise you on this matter in German, English or French.
