[cabfpub] ISO 3166-1 country codes

Rich Smith richard.smith at comodo.com
Wed Aug 1 15:12:55 UTC 2012 

Bill, 

I think the additions are great.  Jeremy and Gerv, does this address your
concerns as well?  Are either of you willing to endorse at this point?

-Rich

 

From: William Madell [mailto:bill.madell at trustis.com] 
Sent: Wednesday, August 01, 2012 7:05 AM
To: jeremy.rowley at digicert.com; richard.smith at comodo.com; 'Erwann Abalea';
public at cabforum.org
Subject: RE: [cabfpub] ISO 3166-1 country codes

 

Rich,

 

I understand your point on solely moving things into individual CP/CPS –
depending on how it’s done, it could be problematic.  It does, however, seem
to be the logical place for Relying Parties to look when confronted with an
unknown/unfamiliar value within a certificate.  I figure the approach should
use your wording to define the temporary use of XK in Appendix D of the BRs,
but also mandate CAs using XK in their certificates provide the BR
definition within their own CP/CPS – to make the explanation more
readily/easily available to the Relying Parties.   I’d wager that a RP would
look first to the CP/CPS before consulting the BRs – or ISO 3166-1, for that
matter. 

 

Have a look at this version of the motion.  It includes the Digicert
amendment along with amendments of my own (using Kirk’s suggested +/-
method):

 

-------------

Appendix D - Country-Specific Interpretative Guidelines (Normative)

Republic of Kosovo

Until the Republic of Kosovo is assigned an official ISO 3166-1 designation,
CAs operating in jurisdictions that recognize the Republic of Kosovo MAY, at
their discretion, use either (i) the country code RS for Serbia, or (ii) in
line with the European Commission (see
http://epp.eurostat.ec.europa.eu/statistics_explained/index.php/Glossary:Cou
ntry_codes) as well as certain other governments and organizations, use the
country code XK* for the Republic of Kosovo.  

 

[+ CAs using (ii) MUST include the relevant guidance provided in this
Appendix within their own Certificate Policy or Certification Practice
Statement in order to provide Relying Parties adequate information regarding
the use of the XK designation. +]

 

If an official ISO 3166-1 designation is assigned, then all CAs MUST [+
cease using XK and adopt the +] use [+ of +] the official ISO 3166-1
designation for the Republic of Kosovo.  [+ At the time an official ISO
3166-1 designation is assigned, valid certificates containing the country
code XK MUST cease to be used and replaced with certificates containing the
Republic of Kosovo’s official ISO 3166-1 designation. +] 

 

* XA-XZ are designated as user-defined in ISO 3166-1 and generally SHOULD
NOT be used in trusted certificates, however this situation represents a
temporary exception given the unique diplomatic situation surrounding the
declaration of independence of the Republic of Kosovo.  It is anticipated
that as the situation resolves itself, Kosovo will either be [- given it's
-] [+ assigned its +]own official ISO 3166-1 designation, or it will return
to using solely the designation assigned to Serbia.

-------------

 

(one other passing thought – do we need to explicitly state “ISO 3166-1
alpha-2” or is “ISO 3166-1” sufficient?)

 

So, the above should give us ‘centralised’ governance of the use of XK via
the BRs (which is what you want) as well as providing its defined usage to
Relying Parties (which is what Eddy wants) via the CP/CPS.

 

If you’re happy with the above motion, I’m happy to endorse it.

 

Regards,
Bill

 

 

From: Jeremy Rowley [mailto:jeremy.rowley at digicert.com] 
Sent: 31 July 2012 23:29
To: richard.smith at comodo.com; 'William Madell'; 'Erwann Abalea';
public at cabforum.org
Subject: RE: [cabfpub] ISO 3166-1 country codes

 

We’ll adopt if you amend the proposal to clarify that this provision only
applies until Kosovo is assigned its own ISO designation. Something like:

 

Appendix D - Country-Specific Interpretative Guidelines (Normative)

Republic of Kosovo

Until the Republic of Kosovo is assigned an official ISO 3166-1 designation,
CAs operating in jurisdictions that recognize the Republic of Kosovo MAY, at
their discretion, use either (i) the country code RS for Serbia, or (ii) in
line with the European Commission (see
http://epp.eurostat.ec.europa.eu/statistics_explained/index.php/Glossary:Cou
ntry_codes) as well as certain other governments and organizations, use the
country code XK* for the Republic of Kosovo.  If an official ISO 3166-1
designation is assigned, then all CAs MUST use the official ISO 3166-1
designation for the Republic of Kosovo.

 

* XA-XZ are designated as user-defined in ISO 3166-1 and generally SHOULD
NOT be used in trusted certificates, however this situation represents a
temporary exception given the unique diplomatic situation surrounding the
declaration of independence of the Republic of Kosovo.  It is anticipated
that as the situation resolves itself, Kosovo will either be given it's own
official ISO 3166-1 designation, or it will return to using solely the
designation assigned to Serbia.

 

 

From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of Rich Smith
Sent: Tuesday, July 31, 2012 8:30 AM
To: 'William Madell'; 'Erwann Abalea'; public at cabforum.org
Subject: Re: [cabfpub] ISO 3166-1 country codes

 

I am looking for 2 endorsers for the following motion to amend the BRs:

 

Rich Smith made the following motion and ___ and ____ endorsed it.

 

Add to the Baseline Requirements:

 

Appendix D - Country-Specific Interpretative Guidelines (Normative)

Republic of Kosovo

CAs operating in jurisdictions which have extended diplomatic recognition to
the Republic of Kosovo MAY, at their discretion, use EITHER the country code
RS for Serbia, OR in line with the European Commission (see
http://epp.eurostat.ec.europa.eu/statistics_explained/index.php/Glossary:Cou
ntry_codes) as well as certain other governments and organizations, use the
country code XK* for the Republic of Kosovo.

 

* XA-XZ are designated as user-defined in ISO 3166-1 and generally SHOULD
NOT be used in trusted certificates, however this situation represents a
temporary exception given the unique diplomatic situation surrounding the
declaration of independence of the Republic of Kosovo.  It is anticipated
that as the situation resolves itself, Kosovo will either be given it's own
official ISO 3166-1 designation, or it will return to using solely the
designation assigned to Serbia.

 

 

From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of William Madell
Sent: Tuesday, July 31, 2012 6:17 AM
To: 'Erwann Abalea'; public at cabforum.org
Subject: Re: [cabfpub] ISO 3166-1 country codes

 

Agreed – the CABF can decide to use ‘XK’ as its user-assigned country code
for Kosovo within the context of the BRs (perhaps, also in the context of
EV?).  

 

As Erwann recommends, the CABF should publicly document that decision – I
suggest as either an erratum or appendix to the BRs.

 

Bill

 

From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of Erwann Abalea
Sent: 31 July 2012 10:46
To: public at cabforum.org
Subject: Re: [cabfpub] ISO 3166-1 country codes

 

Nice question.

XK being one of the "user-assigned code elements", it can therefore be
freely used wherever you want, and it won't be used in any update of the
standard.
http://www.iso.org/iso/home/standards/country_codes/special-code-elements-is
o-3166.htm#Reserved-code-elements is pretty clear on the purpose and limits
of the user-assigned codes.
Faced with such a request, I'd also tend to approve it, publicly document
the use of "XK" code to designate "Kosovo", and notify the ISO-3166/MA of
the use of this code.

EU hasn't recognized Kosovo as an independant nation, it's strange that XK
is used by the EC.

-- 
Erwann ABALEA
 

Le 30/07/2012 22:39, Rich Smith a écrit :

I've come across an edge case that I'd like to get some discussion on.

 

We have received a request for a customer in Kosovo, which the two
jurisdictions to which we are subject (US and UK) recognize as a sovereign
country.  However because there is still some wrangling going on in the UN,
Kosovo does not at this time have an official ISO 3166 country code.

 

I came across some information that the European Commission, Switzerland,
and the Deutsche Bundesbank among others are temporarily using XK as a
designator for Kosovo.  Any thought as to whether or not doing the same in a
certificate would be in compliance with Section 9.2.5 of the BRs?

 

9.2.5      Subject Country Name Field

Certificate Field:  subject:countryName (OID: 2.5.4.6)

Required/Optional:  Optional

Contents:  If the subject:countryName field is present, then the CA SHALL
verify the country associated with the Subject in accordance with Section
11.2.5 and use its two-letter ISO 3166-1 country code.

 

Since XK is set aside by the ISO as user assigned, I tend to lean toward
allowing it, but I also think that we should probably decide as a group so
that we all (at least all in jurisdictions which recognize Kosovo) treat
Kosovo in a uniform fashion.  Thoughts?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20120801/617ac046/attachment-0004.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 6391 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20120801/617ac046/attachment-0004.bin>

More information about the Public mailing list