> On Mar 19, 2017, at 11:59 PM, Dimitris Zacharopoulos <ji...@it.auth.gr> wrote:
>> On 18/3/2017 9:06 πμ, Geoff Keating wrote:
>> In this discussion, I think perhaps a key point has been lost:
>> Why is the CABforum involved in this?
>> The CABforum does not assign country codes, nor is it responsible for
>> defining the countryName attribute (that’s in ITU-T X.520 | ISO/IEC 9594-6).
>> I don’t see why the CABforum should consider itself free to change that
>> definition and I don’t see why people should be asking it to.
>> Even if it was permitted, would it be wise? The CABforum is not well suited
>> to be determining the existence or names of countries, especially in
>> contentious cases, and there are a lot of contentious cases in this area.
>> An important function of the ISO 3166 Maintenance Agency is to enfold these
>> contentious cases in careful bureaucracy and to come up with a result that,
>> while it might not be agreed to be the correct result, or the desirable
>> result, is at least agreed to be the result.
> The CA/B Form is involved because I presented an EU legal document that
> mandates using "C=EL" and "C=UK" as exceptions to the ISO-3166, in X.509
> Certificates. Check my e-mail sent on March 17th. Just to restate the
> problem, the current BRs dictate using the two-letter country codes in
> ISO-3166-1 for the Subject Information. This creates a conflict if there is a
> case where a subject is required to use one of the other country identifiers,
> like the referenced 1505/2015 commission implementing decision.
I believe this has been covered elsewhere in the discussion; the requirement in
that decision applies only to Member States, not CAs, and only to a specific
notification from the member to the EC, not to certificates. So there is no
An organization is free to say 'we will use our own codes for some countries
for our internal purposes'. This is their choice to not use the standard.
However it does not change the standard, and they cannot truthfully state that
the result is standard-conforming.
> These two countries have been using these identifiers for years and have
> broadly been used in legal documents and official correspondence in the
> European Union. As I am sure you are quite aware, you can't get more
> bureaucracy than the EU, so for these identifiers to be included in legal
> documents, it means that all the proper agencies have approved this. I
> presented one of possibly hundreds of documents using these identifiers but
> the one I posted is very closely related to X.509 digital certificates.
The ISO is the relevant authority, and they have not approved.
I also do not see where the EU has actually approved, requested, suggested, or
even hinted at the use of this value in certificates. A specific reference
would be needed.
> I agree that ISO-3166-1 is a great place to start but if there are specific
> exceptions to it, like the ones specified in the 1505/2015 decision, coming
> from organizations like the EU, IMHO they should be respected.
Even if, counterfactually, the EU had said they would prefer these values in
certificates, what justification does the EU have to do so? They are not the
ISO and do not produce the relevant standards and did not assign the OID. It
would be inappropriate for them to try to alter an ISO standard without going
through the ISO process. It would also be inappropriate for them to bring the
CABforum into any disagreement they are having with the ISO, or for the
CABforum to permit itself to be used that way.
Likewise Greece; but Greece is literally the last country in the world that I
can imagine saying that an international body should be ignored in favor of a
country's preferred nomenclature, because of their dispute over Macedonia.
Public mailing list