<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Mar 17, 2017 at 7:26 AM, Dimitris Zacharopoulos via Public <span dir="ltr"><<a href="mailto:public@cabforum.org" target="_blank">public@cabforum.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
We came across an interesting request which relates to a probably
unique situation for Greece, but also exists for UK.<br>
<br>
From <a class="m_-747489645731677166moz-txt-link-freetext" href="https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2" target="_blank">https://en.wikipedia.org/wiki/<wbr>ISO_3166-1_alpha-2</a>, it is
documented that the <a href="https://en.wikipedia.org/wiki/European_Commission" title="European Commission" target="_blank">European Commission</a> generally uses
ISO 3166-1 alpha-2 codes <b>with two exceptions</b>: <span style="font-family:monospace,monospace">EL</span> (not <span style="font-family:monospace,monospace">GR</span>) is used to
represent Greece and <span style="font-family:monospace,monospace">UK</span> (not <span style="font-family:monospace,monospace">GB</span>) is used to represent the United Kingdom.<br>
<br>
Here is the official Country codes list
<a class="m_-747489645731677166moz-txt-link-freetext" href="http://ec.europa.eu/eurostat/statistics-explained/index.php/Glossary:Country_codes" target="_blank">http://ec.europa.eu/eurostat/<wbr>statistics-explained/index.<wbr>php/Glossary:Country_codes</a>.
There is no doubt that there are several laws, treaties and other
legal documents supporting these two exceptions.<br>
<br>
According to the BRs 7.1.4.2.2.h<br>
<br>
"the subject:countryName MUST contain the two-letter ISO 3166-1
country code associated with the location of the Subject verified
under Section 3.2.2.1. If the subject:organizationName field is
absent, the subject:countryName field MAY contain the two-letter ISO
3166-1 country code associated with the Subject as verified in
accordance with Section 3.2.2.3. If a Country is not represented by
an official ISO 3166-1 country code, the CA MAY specify the ISO
3166-1 user-assigned code of XX indicating that an official ISO
3166-1 alpha-2 code has not been assigned."<br>
<br>
If I'm reading this correctly, we can't currently use the
C=EL in BR-compliant SSL Certificates. Would we need to amend the
BRs and add an exception for these two Countries or could we invoke
9.16.3?<br></div></blockquote><div><br></div><div>Why do you believe 9.16.3 would be appropriate? That is, 9.16.3 would only be appropriate if and only if there was a law saying you _could not_ represent Greece with GR and _could not_ represent GB as UK.</div><div><br></div><div>As recently discussed with Li-Chun, it _would not_ be appropriate or applicable if another PKI which you participated in required that, even if that PKI was established by law, if participation in that PKI was not mandatory for all CAs within that jurisdiction.</div><div><br></div><div>You are correct in reading that C=EL and C=UK should not be used as currently specified in the BRs.</div></div></div></div>