<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<br>
<br>
<div class="moz-cite-prefix">On 17/3/2017 4:08 μμ, Ryan Sleevi
wrote:<br>
</div>
<blockquote
cite="mid:CACvaWvaHvb0qrpej3rKmsxZs5NYMRuRrtDW0fAA-A_iNsti2Sg@mail.gmail.com"
type="cite">
<div dir="ltr"><br>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Fri, Mar 17, 2017 at 7:26 AM,
Dimitris Zacharopoulos via Public <span dir="ltr"><<a
moz-do-not-send="true" href="mailto:public@cabforum.org"
target="_blank">public@cabforum.org</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"> We came across an
interesting request which relates to a probably unique
situation for Greece, but also exists for UK.<br>
<br>
From <a moz-do-not-send="true"
class="m_-747489645731677166moz-txt-link-freetext"
href="https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2"
target="_blank">https://en.wikipedia.org/wiki/<wbr>ISO_3166-1_alpha-2</a>,
it is documented that the <a moz-do-not-send="true"
href="https://en.wikipedia.org/wiki/European_Commission"
title="European Commission" target="_blank">European
Commission</a> generally uses ISO 3166-1 alpha-2 codes
<b>with two exceptions</b>: <span
style="font-family:monospace,monospace">EL</span> (not
<span style="font-family:monospace,monospace">GR</span>)
is used to represent Greece and <span
style="font-family:monospace,monospace">UK</span> (not
<span style="font-family:monospace,monospace">GB</span>)
is used to represent the United Kingdom.<br>
<br>
Here is the official Country codes list
<a moz-do-not-send="true"
class="m_-747489645731677166moz-txt-link-freetext"
href="http://ec.europa.eu/eurostat/statistics-explained/index.php/Glossary:Country_codes"
target="_blank">http://ec.europa.eu/eurostat/<wbr>statistics-explained/index.<wbr>php/Glossary:Country_codes</a>.
There is no doubt that there are several laws, treaties
and other legal documents supporting these two
exceptions.<br>
<br>
According to the BRs 7.1.4.2.2.h<br>
<br>
"the subject:countryName MUST contain the two-letter ISO
3166-1 country code associated with the location of the
Subject verified under Section 3.2.2.1. If the
subject:organizationName field is absent, the
subject:countryName field MAY contain the two-letter ISO
3166-1 country code associated with the Subject as
verified in accordance with Section 3.2.2.3. If a
Country is not represented by an official ISO 3166-1
country code, the CA MAY specify the ISO 3166-1
user-assigned code of XX indicating that an official ISO
3166-1 alpha-2 code has not been assigned."<br>
<br>
If I'm reading this correctly, we can't currently use
the C=EL in BR-compliant SSL Certificates. Would we need
to amend the BRs and add an exception for these two
Countries or could we invoke 9.16.3?<br>
</div>
</blockquote>
<div><br>
</div>
<div>Why do you believe 9.16.3 would be appropriate? That
is, 9.16.3 would only be appropriate if and only if there
was a law saying you _could not_ represent Greece with GR
and _could not_ represent GB as UK.</div>
<div><br>
</div>
<div>As recently discussed with Li-Chun, it _would not_ be
appropriate or applicable if another PKI which you
participated in required that, even if that PKI was
established by law, if participation in that PKI was not
mandatory for all CAs within that jurisdiction.</div>
<div><br>
</div>
<div>You are correct in reading that C=EL and C=UK should
not be used as currently specified in the BRs.</div>
</div>
</div>
</div>
</blockquote>
<br>
<br>
Thanks everyone with providing comments and clarity to this subject.
So, to summarize, regardless of being "exceptionally reserved" or
not, since the BRs strictly mandate following ISO 3166-1, CA's can't
currently use C=EL or C=UK in BR-compliant SSL certificates.<br>
<br>
Ryan, it seems you are reading the 9.16.3 requirement from a
different point of view and I am. I don't think you 're likely to
see a local law that mandates what you "can't do". So, you are not
likely to see a law or an executive order that says "you cannot
represent Greece with GR". It is more likely that you will find a
law that says that "for this type of certificate, you must represent
Greece with EL". I think that should be enough for 9.16.3 because
there is a "conflict between these Requirements and a law". In our
example, the BRs say you can't use C=EL but the "local" law says you
must use C=EL.<br>
<br>
I also think you will never see a local law or executive order that
reads something so overly specific as to combine this requirement
with "publicly trusted Certificates". <br>
<br>
For your consideration, please have a look at
<a class="moz-txt-link-freetext" href="http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32015D1505">http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32015D1505</a>
and specifically Annex II. This is an Implementing Decision for
Regulation 910/2014 (eIDAS).<br>
<br>
"<br>
The information to be notified by Member States under Article 4(1)
of the present Decision <b>shall</b> contain the following data and
any changes thereto:<br>
<p class="normal">(1)</p>
<p class="normal">Member State, using ISO 3166-1<a
id="ntc1-L_2015235EN.01003601-E0001"
href="http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32015D1505#ntr1-L_2015235EN.01003601-E0001"> (<span
class="super">1</span>)</a> Alpha 2 codes with the following
exceptions:</p>
<table border="0" cellpadding="0" cellspacing="0" width="100%">
<colgroup><col width="4%"> <col width="96%"> </colgroup><tbody>
<tr>
<td valign="top">
<p class="normal">(a)</p>
</td>
<td valign="top">
<p class="normal">The Country Code for United Kingdom shall
be ‘UK’.</p>
</td>
</tr>
</tbody>
</table>
<table border="0" cellpadding="0" cellspacing="0" width="100%">
<colgroup><col width="4%"> <col width="96%"> </colgroup><tbody>
<tr>
<td valign="top">
<p class="normal">(b)</p>
</td>
<td valign="top">
<p class="normal">The Country Code for Greece shall be ‘EL’.</p>
</td>
</tr>
</tbody>
</table>
"<br>
<br>
I believe Greece and Great Britain should be allowed their "right"
to be represented by using the identifiers C=EL and C=UK
respectively, if they wish to do so. The "spirit" of 9.16.3 is also
to bring conflicting requirements to the CA/B Forum to consider
possible revisions accordingly. This is exactly what I am doing,
without violating the current BRs, but hoping that the CA/B Forum
will read this as a conflicting requirement which could be resolved
by adding a simple exception, without creating any risk in current
practices.<br>
<br>
Is this only my reading? Do others read this in a similar way?<br>
<br>
<br>
Dimitris.<br>
<br>
PS: This is not so much related to Li-Chun's case which was more
confusing. I think the question that is raised here is much simpler.<br>
</body>
</html>