[cabfpub] ISO 3166-1 country codes

William Madell bill.madell at trustis.com
Tue Jul 31 19:09:24 UTC 2012

Rich – 


I think Eddy’s got a point regarding the public meaningfulness of an arbitrary/unofficial country code.  


Section 9.2.5 mandates the use of a defined – therefore, meaningful – code for the countryName attribute.  The X.520 rules say an ISO 3166-1/3 alpha-2 code is used.  ISO 3166/MA says, “here’s a bunch of unassigned alpha-2 codes that can be user-defined.”  So, maybe the answer is to define it within the Certificate Policy under which the cert is issued?


Perhaps, we could expand sec. 9.2.5 to allow that approach; it might look like this:



Contents: If the subject:countryName field is present, then the CA SHALL verify the country associated with the Subject in accordance with Section 11.2.5 and use its two-letter ISO 3166-1 country code.  If a country is not assigned a two-letter ISO 3166-1 country code, a CA MAY utilise a user-assigned code.  If the CA utilises a user-assigned code, the CA MUST define the country identified by the code in its Certificate Policy or Certification Practice Statement.



The alternative, of course, is to issue a certificate to a Kosovo entity which does NOT contain a countryName attribute (which, if I read it correctly, also means the certificate must not contain an organization attribute).



From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Eddy Nigg (StartCom Ltd.)
Sent: 31 July 2012 17:15
To: public at cabforum.org
Subject: Re: [cabfpub] ISO 3166-1 country codes


Hi Rich,

On 07/30/2012 11:39 PM, From Rich Smith: 

Since XK is set aside by the ISO as user assigned, I tend to lean toward allowing it, but I also think that we should probably decide as a group so that we all (at least all in jurisdictions which recognize Kosovo) treat Kosovo in a uniform fashion.  Thoughts?

I'm not in favor because this code doesn't say really anything to a relying party (could be as well XX). A code that hasn't been approved shall not be used because it's not possible to recognize it.




Eddy Nigg, COO/CTO


StartCom Ltd. <http://www.startcom.org> 


startcom at startcom.org


Join the Revolution! <http://blog.startcom.org> 


Follow Me <http://twitter.com/eddy_nigg> 



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20120731/36a85a8b/attachment-0004.html>

More information about the Public mailing list