[Servercert-wg] [Smcwg-public] [EXTERNAL] Re: orgID - Government entities

Corey Bonnell Corey.Bonnell at digicert.com
Tue Apr 4 09:11:04 UTC 2023 

*	I think it correctly states ISO 3166-2 but it incorrectly assumes
that the subdivision has a length of two.



Looks like this is an error that was originally introduced in the EVGs for
orgID. EVG 9.2.8 says:



“For the NTR Registration Scheme identifier, if required under Section 9.2.
4, a 2 character ISO

3166‐2 identifier for the subdivision (state or province) of the nation in
which the Registration

Scheme is operated, preceded by plus “+” (0x2B (ASCII), U+002B (UTF‐
8));”



We should fix that too (CC’ing servercert-wg).



Thanks,

Corey



From: Smcwg-public <smcwg-public-bounces at cabforum.org> On Behalf Of Paul van
Brouwershaven via Smcwg-public
Sent: Tuesday, April 4, 2023 5:03 AM
To: Bruce Morton <bruce.morton at entrust.com>; SMIME Certificate Working Group
<smcwg-public at cabforum.org>; Dimitris Zacharopoulos (HARICA)
<dzacharo at harica.gr>
Subject: Re: [Smcwg-public] [EXTERNAL] Re: orgID - Government entities



ISO 3166-1 is the country code

ISO 3166-2 is the subdivision code



S/MIME BR 7.1.4.2.2.d. Note 2 states:

“For Government Entities, the CA SHALL enter the Registration Scheme
identifier ‘GOV’ followed by the 2 character ISO 3166 country code for the
nation in which the Government Entity is located. If the Government Entity
is verified at a subdivision (state or province) level, then a plus “+”
(0x2B (ASCII), U+002B (UTF‐8)) followed by a 2 character ISO 3166‐2
identifier for the subdivision is added.”



I think it correctly states ISO 3166-2 but it incorrectly assumes that the
subdivision has a length of two.



  _____

From: Smcwg-public <smcwg-public-bounces at cabforum.org
<mailto:smcwg-public-bounces at cabforum.org> > on behalf of Dimitris
Zacharopoulos (HARICA) via Smcwg-public <smcwg-public at cabforum.org
<mailto:smcwg-public at cabforum.org> >
Sent: Tuesday, April 4, 2023 07:37
To: Bruce Morton <Bruce.Morton at entrust.com <mailto:Bruce.Morton at entrust.com>
>; SMIME Certificate Working Group <smcwg-public at cabforum.org
<mailto:smcwg-public at cabforum.org> >
Subject: [EXTERNAL] Re: [Smcwg-public] orgID - Government entities



WARNING: This email originated outside of Entrust.
DO NOT CLICK links or attachments unless you trust the sender and know the
content is safe.

  _____

It should be ISO 3166-1 for the alpha-2 character code. This was probably an
oversight.

Stephen, is this something we could add to the upcoming ballot with fixes?


Thanks,
Dimitris.

On 30/3/2023 8:24 μ.μ., Bruce Morton via Smcwg-public wrote:

Sorry I missed the call yesterday.



I am hoping the QIIS item can be added to the erratum. In addition, we have
the following observation.



S/MIME BR 7.1.4.2.2.d. Note 2 states, “For Government Entities, the CA
SHALL enter the Registration Scheme identifier ‘GOV’ followed by the 2
character ISO 3166 country code for the nation in which the Government
Entity is located. If the Government Entity is verified at a subdivision
(state or province) level, then a plus “+” (0x2B (ASCII), U+002B (UTF‐8))
followed by a 2 character ISO 3166‐2 identifier for the subdivision is
added.”



The wording is complicated as there are no 2 character 3166-2 identifiers as
they start with the 2 character country code plus a hyphen. For California
the code is US-CA, but we expect the result for the orgID to be GOVUS+CA and
not GOVUS+US-CA. For Czechia, they append 2 or 3 numerals such as CZ-201. I
assume we want to show GOVCZ+201 (see
https://www.iso.org/obp/ui/#iso:code:3166:CZ
<https://url.avanan.click/v2/___https:/urldefense.com/v3/__https:/www.iso.or
g/obp/ui/*iso:code:3166:CZ__;Iw!!FJ-Y8qCqXTj2!e0mTl4p5JfttNo888kNqKGAYUo36Su
EiHjGLrpS8kHZi56mAxJeRhKRClNow_FwG3tPs0DB9mFkeja72a6LgFMAIKNAJknQ-3TI$___.YX
AzOmRpZ2ljZXJ0OmE6bzo2MTE3N2FjYjk4NmNhZjZiMTBlYzdkYzljNWViMjc1MTo2OmQyZWM6Nj
QyYTUxNGRkMjI4OTdmNTRkNWFkOWE1MzM1MmYwZThjM2FlYmYzNDNlNzgwZjE0NjJkZjk0MTMwOD
FjODMwYTpoOkY> ), but this is adding more than 2 characters.



I am not sure how to state this but I think we want these examples:



OrgID GOVUS based on ISO 3166-1 US indicator

OrgID GOVUS+CA based on ISO 3166-1 US indicator and ISO3166-2 US-CA
indicator

OrgID GOV CZ+201 based on ISO 3166-1 CZ indicator and ISO3166-2 CZ-201
indicator



So could we add this to a clarification ballot and change “followed by a 2
character ISO 3166‐2 identifier for the subdivision added” to “followed
by the ISO 3166-2 additional characters identified for the subdivision
added”? Then provide the examples.





Thanks, Bruce.

Any email and files/attachments transmitted with it are confidential and are
intended solely for the use of the individual or entity to whom they are
addressed. If this message has been sent to you in error, you must not copy,
distribute or disclose of the information it contains. Please notify Entrust
immediately and delete the message from your system.



_______________________________________________
Smcwg-public mailing list
Smcwg-public at cabforum.org <mailto:Smcwg-public at cabforum.org>
https://lists.cabforum.org/mailman/listinfo/smcwg-public
<https://url.avanan.click/v2/___https:/urldefense.com/v3/__https:/lists.cabf
orum.org/mailman/listinfo/smcwg-public__;!!FJ-Y8qCqXTj2!e0mTl4p5JfttNo888kNq
KGAYUo36SuEiHjGLrpS8kHZi56mAxJeRhKRClNow_FwG3tPs0DB9mFkeja72a6LgFMAIKNAJiOwC
DkM$___.YXAzOmRpZ2ljZXJ0OmE6bzo2MTE3N2FjYjk4NmNhZjZiMTBlYzdkYzljNWViMjc1MTo2
OmFjOTU6ODJiY2Y1NzhiYjlmZThjNTgxMDM3NTJkY2ZhMWVmOTgyMTg5NDY2NzJlNTZjNDNhMWIx
N2ExNTg4YTY2Y2E5MDpoOkY>



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20230404/63cf0800/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4990 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20230404/63cf0800/attachment-0001.p7s>

More information about the Servercert-wg mailing list