[cabfpub] ISO 3166-1 country codes

Rich Smith richard.smith at comodo.com
Tue Jul 31 20:26:46 UTC 2012


I'm certainly willing to go the CPS route to get this done, but I think that only exacerbates the one legitimate concern which has been raised, namely that of relying parties being able to identify which country it represents.  I think my approach of adding as an Appendix to the BR and creating a standard, documented usage across the industry is a much better approach.  Better that the CA/B Forum acts as the user doing the defining, rather than each CA on its own coming up with a bunch of different solutions.



The politics involved don't concern me, and shouldn't concern us as a Forum, except that ISO 3166 takes its lead from the UN so until the UN makes a final decision, 3166 doesn't get updated.  A UN decision on this or anything else like it could take years (it's already been 4) or never come.  


In the mean time, at least for those of us in a jurisdiction that recognizes the Republic of Kosovo, we live in a world where there is in point of fact a country called the Republic of Kosovo, as per the laws of the jurisdiction to which we are subject.   ISO 3166 does in fact have a mechanism by which we can deal with the situation.  I fully agree, let's leave the politics out of it, and simply use the standard as it exists to create a solution which works for our industry, publish what that mechanism is and go on about our business.  I think my proposal does exactly that and it's neutral as far as which side of the fence a particular CAs jurisdiction falls into with regards to the politics involved.


As far as other regions which may be in similar situations, fine.  We can deal with them in similar fashion if and when they present themselves.  I think by adding the user defined codes into the standard, ISO acknowledged that by tying the standard to the UN, there may arise situations in the real world with which they can't keep up so the standard allows those of us who have to live in the real world to use those reserved codes to fill in the gaps.  Let's get the job done that they can't do at the moment.


As Bill has pointed out, I can use that mechanism to define my own solution, and if the consensus of the Forum is that I should do that, fine, I'll get it done, but IMO it is short sighted and prone to far more errors and relying party confusion to have every CA making their own policies on this than to have the Forum make a sensible policy for the industry.  That policy should take the real world situation into account and not worry about the 'politics' of it.





From: William Madell [mailto:bill.madell at trustis.com] 
Sent: Tuesday, July 31, 2012 3:09 PM
To: 'Eddy Nigg (StartCom Ltd.)'; richard.smith at comodo.com; public at cabforum.org
Subject: RE: [cabfpub] ISO 3166-1 country codes


Rich – 


I think Eddy’s got a point regarding the public meaningfulness of an arbitrary/unofficial country code.  


Section 9.2.5 mandates the use of a defined – therefore, meaningful – code for the countryName attribute.  The X.520 rules say an ISO 3166-1/3 alpha-2 code is used.  ISO 3166/MA says, “here’s a bunch of unassigned alpha-2 codes that can be user-defined.”  So, maybe the answer is to define it within the Certificate Policy under which the cert is issued?


Perhaps, we could expand sec. 9.2.5 to allow that approach; it might look like this:



Contents: If the subject:countryName field is present, then the CA SHALL verify the country associated with the Subject in accordance with Section 11.2.5 and use its two-letter ISO 3166-1 country code.  If a country is not assigned a two-letter ISO 3166-1 country code, a CA MAY utilise a user-assigned code.  If the CA utilises a user-assigned code, the CA MUST define the country identified by the code in its Certificate Policy or Certification Practice Statement.



The alternative, of course, is to issue a certificate to a Kosovo entity which does NOT contain a countryName attribute (which, if I read it correctly, also means the certificate must not contain an organization attribute).




From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Eddy Nigg (StartCom Ltd.)
Sent: 31 July 2012 17:15
To: public at cabforum.org
Subject: Re: [cabfpub] ISO 3166-1 country codes


Hi Rich,

On 07/30/2012 11:39 PM, From Rich Smith: 

Since XK is set aside by the ISO as user assigned, I tend to lean toward allowing it, but I also think that we should probably decide as a group so that we all (at least all in jurisdictions which recognize Kosovo) treat Kosovo in a uniform fashion.  Thoughts?

I'm not in favor because this code doesn't say really anything to a relying party (could be as well XX). A code that hasn't been approved shall not be used because it's not possible to recognize it.




Eddy Nigg, COO/CTO


StartCom Ltd. <http://www.startcom.org> 


startcom at startcom.org


Join the Revolution! <http://blog.startcom.org> 


Follow Me <http://twitter.com/eddy_nigg> 



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20120731/ae7c02d1/attachment-0004.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 6391 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20120731/ae7c02d1/attachment-0004.bin>

More information about the Public mailing list