[cabfpub] C=GR, C=UK exceptions in BRs

Geoff Keating geoffk at apple.com
Mon Mar 20 09:05:42 UTC 2017



> On Mar 19, 2017, at 11:59 PM, Dimitris Zacharopoulos <jimmy at it.auth.gr> wrote:
> 
>> On 18/3/2017 9:06 πμ, Geoff Keating wrote:
>> In this discussion, I think perhaps a key point has been lost:
>> 
>> Why is the CABforum involved in this?
>> 
>> The CABforum does not assign country codes, nor is it responsible for defining the countryName attribute (that’s in ITU-T X.520 | ISO/IEC 9594-6).  I don’t see why the CABforum should consider itself free to change that definition and I don’t see why people should be asking it to.
>> 
>> Even if it was permitted, would it be wise?  The CABforum is not well suited to be determining the existence or names of countries, especially in contentious cases, and there are a lot of contentious cases in this area.  An important function of the ISO 3166 Maintenance Agency is to enfold these contentious cases in careful bureaucracy and to come up with a result that, while it might not be agreed to be the correct result, or the desirable result, is at least agreed to be the result.
>> 
> 
> Geoff,
> 
> The CA/B Form is involved because I presented an EU legal document that mandates using "C=EL" and "C=UK" as exceptions to the ISO-3166, in X.509 Certificates. Check my e-mail sent on March 17th. Just to restate the problem, the current BRs dictate using the two-letter country codes in ISO-3166-1 for the Subject Information. This creates a conflict if there is a case where a subject is required to use one of the other country identifiers, like the referenced 1505/2015 commission implementing decision.

I believe this has been covered elsewhere in the discussion; the requirement in that decision applies only to Member States, not CAs, and only to a specific notification from the member to the EC, not to certificates.  So there is no conflict there.

An organization is free to say 'we will use our own codes for some countries for our internal purposes'. This is their choice to not use the standard. However it does not change the standard, and they cannot truthfully state that the result is standard-conforming.

> These two countries have been using these identifiers for years and have broadly been used in legal documents and official correspondence in the European Union. As I am sure you are quite aware, you can't get more bureaucracy than the EU, so for these identifiers to be included in legal documents, it means that all the proper agencies have approved this. I presented one of possibly hundreds of documents using these identifiers but the one I posted is very closely related to X.509 digital certificates.

The ISO is the relevant authority, and they have not approved.

I also do not see where the EU has actually approved, requested, suggested, or even hinted at the use of this value in certificates.  A specific reference would be needed.

> I agree that ISO-3166-1 is a great place to start but if there are specific exceptions to it, like the ones specified in the 1505/2015 decision, coming from organizations like the EU, IMHO they should be respected.

Even if, counterfactually, the EU had said they would prefer these values in certificates, what justification does the EU have to do so?  They are not the ISO and do not produce the relevant standards and did not assign the OID.  It would be inappropriate for them to try to alter an ISO standard without going through the ISO process.  It would also be inappropriate for them to bring the CABforum into any disagreement they are having with the ISO, or for the CABforum to permit itself to be used that way.

Likewise Greece; but Greece is literally the last country in the world that I can imagine saying that an international body should be ignored in favor of a country's preferred nomenclature, because of their dispute over Macedonia.


More information about the Public mailing list