[cabfpub] C=GR, C=UK exceptions in BRs

Ryan Sleevi sleevi at google.com
Fri Mar 17 20:08:49 UTC 2017


On Fri, Mar 17, 2017 at 3:01 PM, Dimitris Zacharopoulos <jimmy at it.auth.gr>
wrote:

> Ryan, it seems you are reading the 9.16.3 requirement from a different
> point of view and I am. I don't think you 're likely to see a local law
> that mandates what you "can't do". So, you are not likely to see a law or
> an executive order that says "you cannot represent Greece with GR". It is
> more likely that you will find a law that says that "for this type of
> certificate, you must represent Greece with EL".
>

That's the same as saying "You cannot represent Greece as anything but
C=EL" :)


> I think that should be enough for 9.16.3 because there is a "conflict
> between these Requirements and a law". In our example, the BRs say you
> can't use C=EL but the "local" law says you must use C=EL.
>

What local law?


> I also think you will never see a local law or executive order that reads
> something so overly specific as to combine this requirement with "publicly
> trusted Certificates".
>
> For your consideration, please have a look at http://eur-lex.europa.eu/
> legal-content/EN/TXT/?uri=CELEX%3A32015D1505 and specifically Annex II.
> This is an Implementing Decision for Regulation 910/2014 (eIDAS).
>
> "
> The information to be notified by Member States under Article 4(1) of the
> present Decision *shall* contain the following data and any changes
> thereto:
>
> (1)
>
> Member State, using ISO 3166-1 (1)
> <http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32015D1505#ntr1-L_2015235EN.01003601-E0001>
> Alpha 2 codes with the following exceptions:
>
> (a)
>
> The Country Code for United Kingdom shall be ‘UK’.
>
> (b)
>
> The Country Code for Greece shall be ‘EL’.
> "
>
> I believe Greece and Great Britain should be allowed their "right" to be
> represented by using the identifiers C=EL and C=UK respectively, if they
> wish to do so. The "spirit" of 9.16.3 is also to bring conflicting
> requirements to the CA/B Forum to consider possible revisions accordingly.
> This is exactly what I am doing, without violating the current BRs, but
> hoping that the CA/B Forum will read this as a conflicting requirement
> which could be resolved by adding a simple exception, without creating any
> risk in current practices.
>
> Is this only my reading? Do others read this in a similar way?
>

As Peter pointed out, in this case, this local law only applies to those on
the trust list. This is no different than, for example, other PKIs -
including those established by laws - being incompatible with the Web PKI.
And that's OK, it just means not to mix the two :)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170317/b2859d64/attachment-0003.html>


More information about the Public mailing list