<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 12 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";
color:black;}
span.EmailStyle17
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.EmailStyle18
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";
color:black;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body bgcolor=white lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='color:#1F497D'>Bill,<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>I'm certainly willing to go the CPS route to get this done, but I think that only exacerbates the one legitimate concern which has been raised, namely that of relying parties being able to identify which country it represents. I think my approach of adding as an Appendix to the BR and creating a standard, documented usage across the industry is a much better approach. Better that the CA/B Forum acts as the user doing the defining, rather than each CA on its own coming up with a bunch of different solutions.<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>Eddy,<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>The politics involved don't concern me, and shouldn't concern us as a Forum, except that ISO 3166 takes its lead from the UN so until the UN makes a final decision, 3166 doesn't get updated. A UN decision on this or anything else like it could take years (it's already been 4) or never come. <o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>In the mean time, at least for those of us in a jurisdiction that recognizes the Republic of Kosovo, we live in a world where there is in point of fact a country called the Republic of Kosovo, as per the laws of the jurisdiction to which we are subject. ISO 3166 does in fact have a mechanism by which we can deal with the situation. I fully agree, let's leave the politics out of it, and simply use the standard as it exists to create a solution which works for our industry, publish what that mechanism is and go on about our business. I think my proposal does exactly that and it's neutral as far as which side of the fence a particular CAs jurisdiction falls into with regards to the politics involved.<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>As far as other regions which may be in similar situations, fine. We can deal with them in similar fashion if and when they present themselves. I think by adding the user defined codes into the standard, ISO acknowledged that by tying the standard to the UN, there may arise situations in the real world with which they can't keep up so the standard allows those of us who have to live in the real world to use those reserved codes to fill in the gaps. Let's get the job done that they can't do at the moment.<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>As Bill has pointed out, I can use that mechanism to define my own solution, and if the consensus of the Forum is that I should do that, fine, I'll get it done, but IMO it is short sighted and prone to far more errors and relying party confusion to have every CA making their own policies on this than to have the Forum make a sensible policy for the industry. That policy should take the real world situation into account and not worry about the 'politics' of it.<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'>-Rich<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><div style='border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt'><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext'> William Madell [mailto:bill.madell@trustis.com] <br><b>Sent:</b> Tuesday, July 31, 2012 3:09 PM<br><b>To:</b> 'Eddy Nigg (StartCom Ltd.)'; richard.smith@comodo.com; public@cabforum.org<br><b>Subject:</b> RE: [cabfpub] ISO 3166-1 country codes<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><span lang=EN-GB style='color:#1F497D'>Rich – <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-GB style='color:#1F497D'>I think Eddy’s got a point regarding the public meaningfulness of an arbitrary/unofficial country code. <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-GB style='color:#1F497D'>Section 9.2.5 mandates the use of a defined – therefore, meaningful – code for the countryName attribute. The X.520 rules say an ISO 3166-1/3 alpha-2 code is used. ISO 3166/MA says, “here’s a bunch of unassigned alpha-2 codes that can be user-defined.” So, maybe the answer is to define it within the Certificate Policy under which the cert is issued?<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-GB style='color:#1F497D'>Perhaps, we could expand sec. 9.2.5 to allow that approach; it might look like this:<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-GB style='color:#1F497D'>---------------<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB style='color:#1F497D'>Contents: If the subject:countryName field is present, then the CA SHALL verify the country associated with the Subject in accordance with Section 11.2.5 and use its two-letter ISO 3166-1 country code. If a country is not assigned a two-letter ISO 3166-1 country code, a CA MAY utilise a user-assigned code. If the CA utilises a user-assigned code, the CA MUST define the country identified by the code in its Certificate Policy or Certification Practice Statement.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB style='color:#1F497D'>--------------- <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-GB style='color:#1F497D'>The alternative, of course, is to issue a certificate to a Kosovo entity which does NOT contain a countryName attribute (which, if I read it correctly, also means the certificate must not contain an organization attribute).<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB style='color:#1F497D'><br>Regards,<br>Bill<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-GB style='color:#1F497D'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext'> <a href="mailto:public-bounces@cabforum.org">public-bounces@cabforum.org</a> [<a href="mailto:public-bounces@cabforum.org">mailto:public-bounces@cabforum.org</a>] <b>On Behalf Of </b>Eddy Nigg (StartCom Ltd.)<br><b>Sent:</b> 31 July 2012 17:15<br><b>To:</b> <a href="mailto:public@cabforum.org">public@cabforum.org</a><br><b>Subject:</b> Re: [cabfpub] ISO 3166-1 country codes<o:p></o:p></span></p></div></div><p class=MsoNormal><span lang=EN-GB><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-GB>Hi Rich,<br><br>On 07/30/2012 11:39 PM, From Rich Smith: <o:p></o:p></span></p><p class=MsoNormal><span lang=EN-GB style='font-size:12.0pt;font-family:"Times New Roman","serif"'>Since XK is set aside by the ISO as user assigned, I tend to lean toward allowing it, but I also think that we should probably decide as a group so that we all (at least all in jurisdictions which recognize Kosovo) treat Kosovo in a uniform fashion. Thoughts?<o:p></o:p></span></p><p class=MsoNormal style='margin-bottom:12.0pt'><span lang=EN-GB style='font-size:12.0pt;font-family:"Times New Roman","serif"'><br>I'm not in favor because this code doesn't say really anything to a relying party (could be as well XX). A code that hasn't been approved shall not be used because it's not possible to recognize it.<o:p></o:p></span></p><div><table class=MsoNormalTable border=0 cellspacing=0 cellpadding=0><tr><td colspan=2 style='padding:0in 0in 0in 0in'><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman","serif"'>Regards <o:p></o:p></span></p></td></tr><tr><td colspan=2 style='padding:0in 0in 0in 0in'><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman","serif"'> <o:p></o:p></span></p></td></tr><tr><td style='padding:0in 0in 0in 0in'><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman","serif"'>Signer: <o:p></o:p></span></p></td><td style='padding:0in 0in 0in 0in'><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman","serif"'>Eddy Nigg, COO/CTO<o:p></o:p></span></p></td></tr><tr><td style='padding:0in 0in 0in 0in'><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman","serif"'> <o:p></o:p></span></p></td><td style='padding:0in 0in 0in 0in'><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman","serif"'><a href="http://www.startcom.org">StartCom Ltd.</a><o:p></o:p></span></p></td></tr><tr><td style='padding:0in 0in 0in 0in'><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman","serif"'>XMPP: <o:p></o:p></span></p></td><td style='padding:0in 0in 0in 0in'><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman","serif"'><a href="xmpp:startcom@startcom.org">startcom@startcom.org</a><o:p></o:p></span></p></td></tr><tr><td style='padding:0in 0in 0in 0in'><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman","serif"'>Blog: <o:p></o:p></span></p></td><td style='padding:0in 0in 0in 0in'><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman","serif"'><a href="http://blog.startcom.org">Join the Revolution!</a><o:p></o:p></span></p></td></tr><tr><td style='padding:0in 0in 0in 0in'><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman","serif"'>Twitter: <o:p></o:p></span></p></td><td style='padding:0in 0in 0in 0in'><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman","serif"'><a href="http://twitter.com/eddy_nigg">Follow Me</a><o:p></o:p></span></p></td></tr><tr><td colspan=2 style='padding:0in 0in 0in 0in'><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Times New Roman","serif"'> <o:p></o:p></span></p></td></tr></table></div><p class=MsoNormal><span lang=EN-GB style='font-size:12.0pt;font-family:"Times New Roman","serif"'><o:p> </o:p></span></p></div></div></body></html>