[cabfpub] Acceptable values for countryName

Ben Wilson ben.wilson at digicert.com
Sun Jul 31 16:43:54 MST 2016


I think we should do something to make it more clear that you can use any ISO 3166-1 country/territory code.  What if we added "or territory code" to sections 7.1.2.1.e, 7.1.2.2.h, and 7.1.4.2.g, so that 7.1.2.1.e and 7.1.2.2.h would say, "the two-letter ISO 3166-1 country code or territory code for the country or territory in which the CA’s place of business is located" and  7.1.4.2.g would say,  "the two-letter ISO 3166-1 country code or territory code associated with the Subject as verified in accordance with Section 3.2.2.3"?

-----Original Message-----
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Peter Bowen
Sent: Sunday, July 24, 2016 9:58 PM
To: Erwann Abalea <Erwann.Abalea at docusign.com>; CABFPub <public at cabforum.org>
Subject: [cabfpub] Acceptable values for countryName

I want to follow up on something Erwann said in a rather long thread.

> On Jul 15, 2016, at 11:25 AM, Erwann Abalea <Erwann.Abalea at docusign.com> wrote:
> 
> That’s in fact a list of ISO3166-1 codes. Not all of them are actual country codes (ISO3166-1 lists country and territories) and are suitable for use in DV/OV/EV certificates (see the definition of an acceptable country code in the BR).

> Among them:
> 	• GF, GP, MQ, YT, RE are regions and departments of France (C=FR, and you can put their name into the stateOrProvinceName attribute), and they are even composed of cities (we have 6 administrative subdivision levels in France, with more than 36000 cities, we’re crazy)
> 	• BV and SJ belong to Norway (C=NO), you can certainly put their name into the stateOrProvinceName attribute
> 	• FK, GI, GS, PN, VG are British Overseas Territories (some are disputed either by Argentina or Spain, but still, C=UK)
> 	• CX and NF are Australian territories (C=AU)
> 	• FO is a constituent country of Denmark (C=DK), exactly like Scotland wrt UK
> 	• GU is a non incorporated territory of the United States of America (C=US), just like Porto Rico
> 	• GG, IM, JE are Crown dependancies, can possibly be considered as countries (C=GG/IM/JE), but anyway have administrative subdivisions

The Baseline Requirements have a definition of “Country": "Either a member of the United Nations OR a geographic region recognized as a sovereign nation by at least two UN member nations.”  According to the UN, there are 193 member states (http://www.un.org/en/member-states/). There are two non-member states which have permanent observer status — the Holy See and the State of Palestine (http://www.un.org/en/sections/member-states/non-member-states/).  These are assigned ISO 3166-1 alpha-2 codes of VA and PS respectively.  Based on Wikipedia (https://en.wikipedia.org/wiki/List_of_states_with_limited_recognition#Non-UN_member_states_recognised_by_at_least_one_UN_member_state), with all caveats that brings, there are five additional non-UN member states recognized by at least two UN member states — the Republic of Abkhazia, the Republic of China, the Republic of Kosovo, the Sahrawi Arab Democratic Republic, and the Republic of South Ossetia.  This appears to mean 200 states meet the definition of Country in the BRs.

However, section 7.1.4.2.2(g) of the BRs says:

"If the subject:organizationName field is present, the subject:countryName MUST contain the two-letter ISO 3166-1 country code associated with the location of the Subject verified under Section 3.2.2.1. If the subject:organizationName field is absent, the subject:countryName field MAY contain the two-letter ISO 3166-1 country code associated with the Subject as verified in accordance with Section 3.2.2.3. If a Country is not represented by an official ISO 3166-1 country code, the CA MAY specify the ISO 3166-1 user-assigned code of XX indicating that an official ISO 3166-1 alpha-2 code has not been assigned.”

In reading this, I’m not clear whether it is valid to use all 249 assigned ISO 3166-1 alpha-2 codes in the countryName attribute or just the ones that correspond to an entity meeting the BR definition of Country.  This ambiguity is because the term “Country” (capitalized) is only used in the last sentence, while earlier uses say the field may contain a “ISO 3166-1 country code”.

Is it valid to include BM, YT, BV, or CX the countryName attribute?

Thanks,
Peter





_______________________________________________
Public mailing list
Public at cabforum.org
https://cabforum.org/mailman/listinfo/public
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4954 bytes
Desc: not available
Url : https://cabforum.org/pipermail/public/attachments/20160731/87ad7801/attachment.bin 


More information about the Public mailing list