[cabfpub] C=GR, C=UK exceptions in BRs

Ryan Sleevi sleevi at google.com
Fri Mar 17 14:08:38 UTC 2017


On Fri, Mar 17, 2017 at 7:26 AM, Dimitris Zacharopoulos via Public <
public at cabforum.org> wrote:

> We came across an interesting request which relates to a probably unique
> situation for Greece, but also exists for UK.
>
> From https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2, it is documented
> that the European Commission
> <https://en.wikipedia.org/wiki/European_Commission> generally uses ISO
> 3166-1 alpha-2 codes *with two exceptions*: EL (not GR) is used to
> represent Greece and UK (not GB) is used to represent the United Kingdom.
>
> Here is the official Country codes list http://ec.europa.eu/eurostat/
> statistics-explained/index.php/Glossary:Country_codes. There is no doubt
> that there are several laws, treaties and other legal documents supporting
> these two exceptions.
>
> According to the BRs 7.1.4.2.2.h
>
> "the subject:countryName MUST contain the two-letter ISO 3166-1 country
> code associated with the location of the Subject verified under Section
> 3.2.2.1. If the subject:organizationName field is absent, the
> subject:countryName field MAY contain the two-letter ISO 3166-1 country
> code associated with the Subject as verified in accordance with Section
> 3.2.2.3. If a Country is not represented by an official ISO 3166-1 country
> code, the CA MAY specify the ISO 3166-1 user-assigned code of XX indicating
> that an official ISO 3166-1 alpha-2 code has not been assigned."
>
> If I'm reading this correctly, we can't currently use the C=EL in
> BR-compliant SSL Certificates. Would we need to amend the BRs and add an
> exception for these two Countries or could we invoke 9.16.3?
>

Why do you believe 9.16.3 would be appropriate? That is, 9.16.3 would only
be appropriate if and only if there was a law saying you _could not_
represent Greece with GR and _could not_ represent GB as UK.

As recently discussed with Li-Chun, it _would not_ be appropriate or
applicable if another PKI which you participated in required that, even if
that PKI was established by law, if participation in that PKI was not
mandatory for all CAs within that jurisdiction.

You are correct in reading that C=EL and C=UK should not be used as
currently specified in the BRs.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170317/d8950590/attachment-0003.html>


More information about the Public mailing list