[cabfpub] ISO 3166-1 country codes

Erwann Abalea erwann.abalea at keynectis.com
Wed Aug 1 03:07:44 MST 2012


Bonjour,

If the CABForum wants to take the lead and define rules, it may have to 
deal with politics.
I don't see how an entity unable to obtain an EV certificate can define 
which country can be considered sovereign and assign it an ISO3166 
country code, except for nomenclature only.

If an appendix is to be added to BR, we'll have to take decisions on 
"countries" listed in 
http://en.wikipedia.org/wiki/List_of_states_with_limited_recognition, 
and maybe extend it to reserved ISO3166 country codes such as "EU", 
"UK", "FX", ...
The problem can quickly become complex, and adding another transnational 
layer won't simplify it, if we can even reach consensus (for example, on 
Kosovo, Spain doesn't recognize it as a sovereign state). If the 
consensus finally is "do it your way", then OK, we don't have to agree 
on politics but only on a common nomenclature.

-- 
Erwann ABALEA

Le 31/07/2012 22:26, Rich Smith a écrit :
>
> Bill,
>
> I'm certainly willing to go the CPS route to get this done, but I 
> think that only exacerbates the one legitimate concern which has been 
> raised, namely that of relying parties being able to identify which 
> country it represents.  I think my approach of adding as an Appendix 
> to the BR and creating a standard, documented usage across the 
> industry is a much better approach.  Better that the CA/B Forum acts 
> as the user doing the defining, rather than each CA on its own coming 
> up with a bunch of different solutions.
>
> Eddy,
>
> The politics involved don't concern me, and shouldn't concern us as a 
> Forum, except that ISO 3166 takes its lead from the UN so until the UN 
> makes a final decision, 3166 doesn't get updated.  A UN decision on 
> this or anything else like it could take years (it's already been 4) 
> or never come.
>
> In the mean time, at least for those of us in a jurisdiction that 
> recognizes the Republic of Kosovo, we live in a world where there is 
> in point of fact a country called the Republic of Kosovo, as per the 
> laws of the jurisdiction to which we are subject.   ISO 3166 does in 
> fact have a mechanism by which we can deal with the situation.  I 
> fully agree, let's leave the politics out of it, and simply use the 
> standard as it exists to create a solution which works for our 
> industry, publish what that mechanism is and go on about our 
> business.  I think my proposal does exactly that and it's neutral as 
> far as which side of the fence a particular CAs jurisdiction falls 
> into with regards to the politics involved.
>
> As far as other regions which may be in similar situations, fine.  We 
> can deal with them in similar fashion if and when they present 
> themselves.  I think by adding the user defined codes into the 
> standard, ISO acknowledged that by tying the standard to the UN, there 
> may arise situations in the real world with which they can't keep up 
> so the standard allows those of us who have to live in the real world 
> to use those reserved codes to fill in the gaps.  Let's get the job 
> done that they can't do at the moment.
>
> As Bill has pointed out, I can use that mechanism to define my own 
> solution, and if the consensus of the Forum is that I should do that, 
> fine, I'll get it done, but IMO it is short sighted and prone to far 
> more errors and relying party confusion to have every CA making their 
> own policies on this than to have the Forum make a sensible policy for 
> the industry.  That policy should take the real world situation into 
> account and not worry about the 'politics' of it.
>
> -Rich
>
> *From:*William Madell [mailto:bill.madell at trustis.com]
> *Sent:* Tuesday, July 31, 2012 3:09 PM
> *To:* 'Eddy Nigg (StartCom Ltd.)'; richard.smith at comodo.com; 
> public at cabforum.org
> *Subject:* RE: [cabfpub] ISO 3166-1 country codes
>
> Rich --
>
> I think Eddy's got a point regarding the public meaningfulness of an 
> arbitrary/unofficial country code.
>
> Section 9.2.5 mandates the use of a defined -- therefore, meaningful 
> -- code for the countryName attribute.  The X.520 rules say an ISO 
> 3166-1/3 alpha-2 code is used.  ISO 3166/MA says, "here's a bunch of 
> unassigned alpha-2 codes that can be user-defined."  So, maybe the 
> answer is to define it within the Certificate Policy under which the 
> cert is issued?
>
> Perhaps, we could expand sec. 9.2.5 to allow that approach; it might 
> look like this:
>
> ---------------
>
> Contents: If the subject:countryName field is present, then the CA 
> SHALL verify the country associated with the Subject in accordance 
> with Section 11.2.5 and use its two-letter ISO 3166-1 country code.  
> If a country is not assigned a two-letter ISO 3166-1 country code, a 
> CA MAY utilise a user-assigned code.  If the CA utilises a 
> user-assigned code, the CA MUST define the country identified by the 
> code in its Certificate Policy or Certification Practice Statement.
>
> ---------------
>
> The alternative, of course, is to issue a certificate to a Kosovo 
> entity which does NOT contain a countryName attribute (which, if I 
> read it correctly, also means the certificate must not contain an 
> organization attribute).
>
>
> Regards,
> Bill
>
> *From:*public-bounces at cabforum.org 
> <mailto:public-bounces at cabforum.org> 
> [mailto:public-bounces at cabforum.org] *On Behalf Of *Eddy Nigg 
> (StartCom Ltd.)
> *Sent:* 31 July 2012 17:15
> *To:* public at cabforum.org <mailto:public at cabforum.org>
> *Subject:* Re: [cabfpub] ISO 3166-1 country codes
>
> Hi Rich,
>
> On 07/30/2012 11:39 PM, From Rich Smith:
>
> Since XK is set aside by the ISO as user assigned, I tend to lean 
> toward allowing it, but I also think that we should probably decide as 
> a group so that we all (at least all in jurisdictions which recognize 
> Kosovo) treat Kosovo in a uniform fashion.  Thoughts?
>
>
> I'm not in favor because this code doesn't say really anything to a 
> relying party (could be as well XX). A code that hasn't been approved 
> shall not be used because it's not possible to recognize it.
>
> Regards
>
> Signer:
>
> 	
>
> Eddy Nigg, COO/CTO
>
> 	
>
> StartCom Ltd. <http://www.startcom.org>
>
> XMPP:
>
> 	
>
> startcom at startcom.org <xmpp:startcom at startcom.org>
>
> Blog:
>
> 	
>
> Join the Revolution! <http://blog.startcom.org>
>
> Twitter:
>
> 	
>
> Follow Me <http://twitter.com/eddy_nigg>
>
>
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> http://cabforum.org/mailman/listinfo/public

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://cabforum.org/pipermail/public/attachments/20120801/db9cc178/attachment-0001.html 


More information about the Public mailing list