[Servercert-wg] [EXTERNAL] State or Province

Thu Sep 5 10:48:55 MST 2019

I agree that we need to work together to standardize a process for state/country including the field contents; however, we are all aware that there are a variety of complications due to countries simply having different address structures.  I would like to discuss what I see as a common issue and discuss an alternative solution/source.  Bear with me this is long, but I think examples help the process.
For the sake of argument, let us focus on Physical Address (EVG 9.5.6) and Physical Existence (EVG 11.4) validation.  I think we can all agree that the point of these sections is to be able to direct a certificate consumer to the physical location of the business.  In my opinion, ISO may not be the right place to do this for certificate consumers, but something like UPU (Universal Postal Union)<http://www.upu.int/en/activities/addressing/postal-addressing-systems-in-member-countries.html> would be knowledgeable about how to get to a specific location.
For example, UPU for GB shows that an address can contain these elements:
Addressee identification
Building
Dependent thoroughfare
Thoroughfare
Double dependent locality
Dependent locality
POST TOWN
County
POSTCODE
UNITED KINGDOM
Commonly, one might see something like this (sourced from UPU):
Leda Engineering Ltd (addressee)
APPLEFORD (dependent locality)
ABINGDON (post town – not listed in ISO)
OX14 4PG (postcode)
UNITED KINGDOM
If we determine mapping ISO 3166-2 subdivisions to stateOrProvince and force a state requirement, this means we would require Oxfordshire in the state field for the company Leda Engineering Ltd.  QGIS and QIIS sources may not be able to validate Oxfordshire as this is not commonly used, I had to do a basic online search to find out that Abingdon was in Oxfordshire.  I believe it is more reliable to report what we can validate in the Subject fields.
Which is better for the community, that CA’s report what they validate (L: Appleford, S: Abingdon C: GB) or what ISO says is true (L: Abingdon S: Oxfordshire C: GB)?
Thank you,
Joanna Fox

From: Servercert-wg <servercert-wg-bounces at cabforum.org> On Behalf Of Doug Beattie via Servercert-wg
Sent: Thursday, September 5, 2019 10:39 AM
To: Wayne Thayer <wthayer at mozilla.com>; CA/B Forum Server Certificate WG Public Discussion List <servercert-wg at cabforum.org>; Ryan Sleevi <sleevi at google.com>
Subject: Re: [Servercert-wg] [EXTERNAL] State or Province

Notice: This email is from an external sender.

There are certainly some countries we could include in a MUST list.

From: Servercert-wg <servercert-wg-bounces at cabforum.org<mailto:servercert-wg-bounces at cabforum.org>> On Behalf Of Wayne Thayer via Servercert-wg
Sent: Thursday, September 5, 2019 1:35 PM
To: Ryan Sleevi <sleevi at google.com<mailto:sleevi at google.com>>; CA/B Forum Server Certificate WG Public Discussion List <servercert-wg at cabforum.org<mailto:servercert-wg at cabforum.org>>
Subject: Re: [Servercert-wg] [EXTERNAL] State or Province

On Thu, Sep 5, 2019 at 7:54 AM Ryan Sleevi via Servercert-wg <servercert-wg at cabforum.org<mailto:servercert-wg at cabforum.org>> wrote:

On Thu, Sep 5, 2019 at 10:09 AM Richard Smith <rich at sectigo.com<mailto:rich at sectigo.com>> wrote:

OK, then yes, England is acceptable.  But wait, 3166-2 says England is a country.  That’s not a state or a province.  How about right below England on the page, we have England and Wales.  Is that acceptable for the ST field?  But 3166-2 says that’s a nation.  That’s not a state or a province either.  And BTW what the heck is the difference (from the perspective of this ISO standard) between a country and a nation, because I’ve always thought they were synonyms.  I guess someone, either in the UK, or over at ISO would disagree.

Right, to be clear, I agree 100% with Jeremy that we should get it to a MUST and absolutely should get consistency. The question is, as you point out, consistency "with what". The challenge is that 3166-2 includes many levels of hierarchy, not just "the immediate second".

If we can agree to some generic mapping of 3166-2 subdivisions to stateOrProvince, then there is value in adding that as a SHOULD. Linters can then start warning on this rule and provide the data we'll need to feel comfortable moving the requirement to a MUST.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20190905/1705c783/attachment-0001.html>