[cabfpub] ISO 3166-1 country codes
bill.madell at trustis.com
Tue Jul 31 19:09:24 UTC 2012
I think Eddy’s got a point regarding the public meaningfulness of an arbitrary/unofficial country code.
Section 9.2.5 mandates the use of a defined – therefore, meaningful – code for the countryName attribute. The X.520 rules say an ISO 3166-1/3 alpha-2 code is used. ISO 3166/MA says, “here’s a bunch of unassigned alpha-2 codes that can be user-defined.” So, maybe the answer is to define it within the Certificate Policy under which the cert is issued?
Perhaps, we could expand sec. 9.2.5 to allow that approach; it might look like this:
Contents: If the subject:countryName field is present, then the CA SHALL verify the country associated with the Subject in accordance with Section 11.2.5 and use its two-letter ISO 3166-1 country code. If a country is not assigned a two-letter ISO 3166-1 country code, a CA MAY utilise a user-assigned code. If the CA utilises a user-assigned code, the CA MUST define the country identified by the code in its Certificate Policy or Certification Practice Statement.
The alternative, of course, is to issue a certificate to a Kosovo entity which does NOT contain a countryName attribute (which, if I read it correctly, also means the certificate must not contain an organization attribute).
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Eddy Nigg (StartCom Ltd.)
Sent: 31 July 2012 17:15
To: public at cabforum.org
Subject: Re: [cabfpub] ISO 3166-1 country codes
On 07/30/2012 11:39 PM, From Rich Smith:
Since XK is set aside by the ISO as user assigned, I tend to lean toward allowing it, but I also think that we should probably decide as a group so that we all (at least all in jurisdictions which recognize Kosovo) treat Kosovo in a uniform fashion. Thoughts?
I'm not in favor because this code doesn't say really anything to a relying party (could be as well XX). A code that hasn't been approved shall not be used because it's not possible to recognize it.
Eddy Nigg, COO/CTO
StartCom Ltd. <http://www.startcom.org>
startcom at startcom.org
Join the Revolution! <http://blog.startcom.org>
Follow Me <http://twitter.com/eddy_nigg>
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Public