[cabfpub] Path forward for DV cert subjects

Jacob Hoffman-Andrews jsha at letsencrypt.org
Wed Nov 8 16:03:16 MST 2017


On Fri, Nov 3, 2017 at 2:37 PM, Peter Bowen via Public <public at cabforum.org>
wrote:

> What do others think?  Is it reasonable to allow DV certificates with
> countryName in the subject?
>

I think this is a reasonable and good path forward.

I would like it if we could choose a value for countryName that would mean
"no country asserted." While it's fairly straightforward to pick a country
based on geolocating the IP address of the subscriber, or the IP address of
a server involved in validation (if there is one), this introduces
otherwise-unnecessary code for DV CAs. Also, the result of IP geolocation
will frequently misrepresent what the subscriber thinks of as their
country, in particular because many people use cloud services in another
country. I expect this difference would lead to an unnecessarily large
customer support burden. For instance, we could choose QQ from the
user-assigned
code elements of ISO-3166
<https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2#User-assigned_code_elements>
to
mean "no country asserted."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/public/attachments/20171108/211218ed/attachment.html>


More information about the Public mailing list