[cabfpub] C=GR, C=UK exceptions in BRs

Dimitris Zacharopoulos jimmy at it.auth.gr
Fri Mar 17 19:01:55 UTC 2017 


On 17/3/2017 4:08 μμ, Ryan Sleevi wrote:
>
>
> On Fri, Mar 17, 2017 at 7:26 AM, Dimitris Zacharopoulos via Public 
> <public at cabforum.org <mailto:public at cabforum.org>> wrote:
>
>     We came across an interesting request which relates to a probably
>     unique situation for Greece, but also exists for UK.
>
>     From https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2
>     <https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2>, it is
>     documented that the European Commission
>     <https://en.wikipedia.org/wiki/European_Commission> generally uses
>     ISO 3166-1 alpha-2 codes *with two exceptions*: EL (not GR) is
>     used to represent Greece and UK (not GB) is used to represent the
>     United Kingdom.
>
>     Here is the official Country codes list
>     http://ec.europa.eu/eurostat/statistics-explained/index.php/Glossary:Country_codes
>     <http://ec.europa.eu/eurostat/statistics-explained/index.php/Glossary:Country_codes>.
>     There is no doubt that there are several laws, treaties and other
>     legal documents supporting these two exceptions.
>
>     According to the BRs 7.1.4.2.2.h
>
>     "the subject:countryName MUST contain the two-letter ISO 3166-1
>     country code associated with the location of the Subject verified
>     under Section 3.2.2.1. If the subject:organizationName field is
>     absent, the subject:countryName field MAY contain the two-letter
>     ISO 3166-1 country code associated with the Subject as verified in
>     accordance with Section 3.2.2.3. If a Country is not represented
>     by an official ISO 3166-1 country code, the CA MAY specify the ISO
>     3166-1 user-assigned code of XX indicating that an official ISO
>     3166-1 alpha-2 code has not been assigned."
>
>     If I'm reading this correctly, we can't currently use the C=EL in
>     BR-compliant SSL Certificates. Would we need to amend the BRs and
>     add an exception for these two Countries or could we invoke 9.16.3?
>
>
> Why do you believe 9.16.3 would be appropriate? That is, 9.16.3 would 
> only be appropriate if and only if there was a law saying you _could 
> not_ represent Greece with GR and _could not_ represent GB as UK.
>
> As recently discussed with Li-Chun, it _would not_ be appropriate or 
> applicable if another PKI which you participated in required that, 
> even if that PKI was established by law, if participation in that PKI 
> was not mandatory for all CAs within that jurisdiction.
>
> You are correct in reading that C=EL and C=UK should not be used as 
> currently specified in the BRs.


Thanks everyone with providing comments and clarity to this subject. So, 
to summarize, regardless of being "exceptionally reserved" or not, since 
the BRs strictly mandate following ISO 3166-1, CA's can't currently use 
C=EL or C=UK in BR-compliant SSL certificates.

Ryan, it seems you are reading the 9.16.3 requirement from a different 
point of view and I am. I don't think you 're likely to see a local law 
that mandates what you "can't do". So, you are not likely to see a law 
or an executive order that says "you cannot represent Greece with GR". 
It is more likely that you will find a law that says that "for this type 
of certificate, you must represent Greece with EL". I think that should 
be enough for 9.16.3 because there is a "conflict between these 
Requirements and a law". In our example, the BRs say you can't use C=EL 
but the "local" law says you must use C=EL.

I also think you will never see a local law or executive order that 
reads something so overly specific as to combine this requirement with 
"publicly trusted Certificates".

For your consideration, please have a look at 
http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32015D1505 
and specifically Annex II. This is an Implementing Decision for 
Regulation 910/2014 (eIDAS).

"
The information to be notified by Member States under Article 4(1) of 
the present Decision *shall* contain the following data and any changes 
thereto:

(1)

Member State, using ISO 3166-1 (1) 
<http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32015D1505#ntr1-L_2015235EN.01003601-E0001> 
Alpha 2 codes with the following exceptions:

(a)

	

The Country Code for United Kingdom shall be ‘UK’.

(b)

	

The Country Code for Greece shall be ‘EL’.

"

I believe Greece and Great Britain should be allowed their "right" to be 
represented by using the identifiers C=EL and C=UK respectively, if they 
wish to do so. The "spirit" of 9.16.3 is also to bring conflicting 
requirements to the CA/B Forum to consider possible revisions 
accordingly. This is exactly what I am doing, without violating the 
current BRs, but hoping that the CA/B Forum will read this as a 
conflicting requirement which could be resolved by adding a simple 
exception, without creating any risk in current practices.

Is this only my reading? Do others read this in a similar way?


Dimitris.

PS: This is not so much related to Li-Chun's case which was more 
confusing. I think the question that is raised here is much simpler.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170317/d3e5ca7a/attachment-0003.html>

More information about the Public mailing list