PSD2 is the Payment Services Directive 2 a Directive from the European Union. Directives aren't legislation per se, but tell the member states to write their own legislation to achieve some agreed outcome. Many things you think of as EU laws are actually Directives, as a citizen the broad effect of a Directive should be pretty similar everywhere in the EU but implementation details very a lot.
AIUI PSD2 has numerous goals following on from the previous successful Payment Services Directive, but they did once again get into the game of defining what X.509 certificates should mean and how issuers should validate information. So they've got themselves an OID arc for new policy OIDs.
If these OIDs are used in certs in the Web PKI then such certificates would need to obey both sets of rules, but as a relying party I can't say I care about the EU rules at all until I see some clear benefit, whereas the benefit of rules from Mozilla and CA/B forum is already clear.
If they shove an valid but nonsensical policy OID into a cert I don't know what Mozilla policy about that would be, but certainly the browser and common TLS clients will just ignore it altogether.
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
