[Servercert-wg] [Smcwg-public] [EXTERNAL] Re: orgID - Government entities

Stephen Davidson Stephen.Davidson at digicert.com
Fri Apr 14 16:49:00 UTC 2023


Here is the actual text from ISO:



Subdivision codes (ISO 3166-2)

Subdivision codes - code that represents the name of a principal subdivision
(e.g province or state) of countries coded in ISO 3166-1. This code is based
on the two-letter code element from ISO 3166-1 followed by a separator and
up to three alphanumeric characters. The characters after the separator
cannot be used on their own to denote a subdivision, they must be preceded
by the alpha-2 country code.

For example - ID-RI is the Riau province of Indonesia and NG-RI is the
Rivers province in Nigeria.

The codes denoting the subdivision are usually obtained from national
sources and stem from coding systems already in place in the country.



Best, Stephen





From: Smcwg-public <smcwg-public-bounces at cabforum.org> On Behalf Of Tim
Hollebeek via Smcwg-public
Sent: Friday, April 14, 2023 1:45 PM
To: Corey Bonnell <Corey.Bonnell at digicert.com>; CA/B Forum Server
Certificate WG Public Discussion List <servercert-wg at cabforum.org>; Paul van
Brouwershaven <Paul.vanBrouwershaven at entrust.com>; SMIME Certificate Working
Group <smcwg-public at cabforum.org>; Bruce Morton <bruce.morton at entrust.com>;
Dimitris Zacharopoulos (HARICA) <dzacharo at harica.gr>
Subject: Re: [Smcwg-public] [Servercert-wg] [EXTERNAL] Re: orgID -
Government entities



Yes, the language here was added rather quickly and was written with the
United States in mind, as the original draft language did not consider
countries that register organizations primarily at the subdivision level.
That’s how the incorrect assumption that ISO 3166-2 subdivisions are always
two letters snuck in.



-Tim



From: Servercert-wg <servercert-wg-bounces at cabforum.org
<mailto:servercert-wg-bounces at cabforum.org> > On Behalf Of Corey Bonnell via
Servercert-wg
Sent: Tuesday, April 4, 2023 5:12 AM
To: Paul van Brouwershaven <Paul.vanBrouwershaven at entrust.com
<mailto:Paul.vanBrouwershaven at entrust.com> >; SMIME Certificate Working
Group <smcwg-public at cabforum.org <mailto:smcwg-public at cabforum.org> >; Bruce
Morton <bruce.morton at entrust.com <mailto:bruce.morton at entrust.com> >;
Dimitris Zacharopoulos (HARICA) <dzacharo at harica.gr <mailto:dzacharo at harica.
gr> >
Cc: CA/B Forum Server Certificate WG Public Discussion List
<servercert-wg at cabforum.org <mailto:servercert-wg at cabforum.org> >
Subject: Re: [Servercert-wg] [Smcwg-public] [EXTERNAL] Re: orgID -
Government entities



*	I think it correctly states ISO 3166-2 but it incorrectly assumes
that the subdivision has a length of two.



Looks like this is an error that was originally introduced in the EVGs for
orgID. EVG 9.2.8 says:



“For the NTR Registration Scheme identifier, if required under Section 9.2.
4, a 2 character ISO

3166‐2 identifier for the subdivision (state or province) of the nation in
which the Registration

Scheme is operated, preceded by plus “+” (0x2B (ASCII), U+002B (UTF‐
8));”



We should fix that too (CC’ing servercert-wg).



Thanks,

Corey



From: Smcwg-public <smcwg-public-bounces at cabforum.org
<mailto:smcwg-public-bounces at cabforum.org> > On Behalf Of Paul van
Brouwershaven via Smcwg-public
Sent: Tuesday, April 4, 2023 5:03 AM
To: Bruce Morton <bruce.morton at entrust.com <mailto:bruce.morton at entrust.com>
>; SMIME Certificate Working Group <smcwg-public at cabforum.org
<mailto:smcwg-public at cabforum.org> >; Dimitris Zacharopoulos (HARICA)
<dzacharo at harica.gr <mailto:dzacharo at harica.gr> >
Subject: Re: [Smcwg-public] [EXTERNAL] Re: orgID - Government entities



ISO 3166-1 is the country code

ISO 3166-2 is the subdivision code



S/MIME BR 7.1.4.2.2.d. Note 2 states:

“For Government Entities, the CA SHALL enter the Registration Scheme
identifier ‘GOV’ followed by the 2 character ISO 3166 country code for the
nation in which the Government Entity is located. If the Government Entity
is verified at a subdivision (state or province) level, then a plus “+”
(0x2B (ASCII), U+002B (UTF‐8)) followed by a 2 character ISO 3166‐2
identifier for the subdivision is added.”



I think it correctly states ISO 3166-2 but it incorrectly assumes that the
subdivision has a length of two.



  _____

From: Smcwg-public <smcwg-public-bounces at cabforum.org
<mailto:smcwg-public-bounces at cabforum.org> > on behalf of Dimitris
Zacharopoulos (HARICA) via Smcwg-public <smcwg-public at cabforum.org
<mailto:smcwg-public at cabforum.org> >
Sent: Tuesday, April 4, 2023 07:37
To: Bruce Morton <Bruce.Morton at entrust.com <mailto:Bruce.Morton at entrust.com>
>; SMIME Certificate Working Group <smcwg-public at cabforum.org
<mailto:smcwg-public at cabforum.org> >
Subject: [EXTERNAL] Re: [Smcwg-public] orgID - Government entities



WARNING: This email originated outside of Entrust.
DO NOT CLICK links or attachments unless you trust the sender and know the
content is safe.

  _____

It should be ISO 3166-1 for the alpha-2 character code. This was probably an
oversight.

Stephen, is this something we could add to the upcoming ballot with fixes?


Thanks,
Dimitris.

On 30/3/2023 8:24 μ.μ., Bruce Morton via Smcwg-public wrote:

Sorry I missed the call yesterday.



I am hoping the QIIS item can be added to the erratum. In addition, we have
the following observation.



S/MIME BR 7.1.4.2.2.d. Note 2 states, “For Government Entities, the CA
SHALL enter the Registration Scheme identifier ‘GOV’ followed by the 2
character ISO 3166 country code for the nation in which the Government
Entity is located. If the Government Entity is verified at a subdivision
(state or province) level, then a plus “+” (0x2B (ASCII), U+002B (UTF‐8))
followed by a 2 character ISO 3166‐2 identifier for the subdivision is
added.”



The wording is complicated as there are no 2 character 3166-2 identifiers as
they start with the 2 character country code plus a hyphen. For California
the code is US-CA, but we expect the result for the orgID to be GOVUS+CA and
not GOVUS+US-CA. For Czechia, they append 2 or 3 numerals such as CZ-201. I
assume we want to show GOVCZ+201 (see
https://www.iso.org/obp/ui/#iso:code:3166:CZ
<https://url.avanan.click/v2/___https:/urldefense.com/v3/__https:/www.iso.or
g/obp/ui/*iso:code:3166:CZ__;Iw!!FJ-Y8qCqXTj2!e0mTl4p5JfttNo888kNqKGAYUo36Su
EiHjGLrpS8kHZi56mAxJeRhKRClNow_FwG3tPs0DB9mFkeja72a6LgFMAIKNAJknQ-3TI$___.YX
AzOmRpZ2ljZXJ0OmE6bzo2MTE3N2FjYjk4NmNhZjZiMTBlYzdkYzljNWViMjc1MTo2OmQyZWM6Nj
QyYTUxNGRkMjI4OTdmNTRkNWFkOWE1MzM1MmYwZThjM2FlYmYzNDNlNzgwZjE0NjJkZjk0MTMwOD
FjODMwYTpoOkY> ), but this is adding more than 2 characters.



I am not sure how to state this but I think we want these examples:



OrgID GOVUS based on ISO 3166-1 US indicator

OrgID GOVUS+CA based on ISO 3166-1 US indicator and ISO3166-2 US-CA
indicator

OrgID GOV CZ+201 based on ISO 3166-1 CZ indicator and ISO3166-2 CZ-201
indicator



So could we add this to a clarification ballot and change “followed by a 2
character ISO 3166‐2 identifier for the subdivision added” to “followed
by the ISO 3166-2 additional characters identified for the subdivision
added”? Then provide the examples.





Thanks, Bruce.

Any email and files/attachments transmitted with it are confidential and are
intended solely for the use of the individual or entity to whom they are
addressed. If this message has been sent to you in error, you must not copy,
distribute or disclose of the information it contains. Please notify Entrust
immediately and delete the message from your system.

_______________________________________________
Smcwg-public mailing list
Smcwg-public at cabforum.org <mailto:Smcwg-public at cabforum.org>
https://lists.cabforum.org/mailman/listinfo/smcwg-public
<https://url.avanan.click/v2/___https:/urldefense.com/v3/__https:/lists.cabf
orum.org/mailman/listinfo/smcwg-public__;!!FJ-Y8qCqXTj2!e0mTl4p5JfttNo888kNq
KGAYUo36SuEiHjGLrpS8kHZi56mAxJeRhKRClNow_FwG3tPs0DB9mFkeja72a6LgFMAIKNAJiOwC
DkM$___.YXAzOmRpZ2ljZXJ0OmE6bzo2MTE3N2FjYjk4NmNhZjZiMTBlYzdkYzljNWViMjc1MTo2
OmFjOTU6ODJiY2Y1NzhiYjlmZThjNTgxMDM3NTJkY2ZhMWVmOTgyMTg5NDY2NzJlNTZjNDNhMWIx
N2ExNTg4YTY2Y2E5MDpoOkY>



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20230414/01e05667/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5263 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20230414/01e05667/attachment-0001.p7s>


More information about the Servercert-wg mailing list