[cabfpub] C=GR, C=UK exceptions in BRs
Dimitris Zacharopoulos
jimmy at it.auth.gr
Mon Mar 20 09:59:54 UTC 2017
On 20/3/2017 11:05 πμ, Geoff Keating wrote:
>
>> On Mar 19, 2017, at 11:59 PM, Dimitris Zacharopoulos <jimmy at it.auth.gr> wrote:
>>
>>> On 18/3/2017 9:06 πμ, Geoff Keating wrote:
>>> In this discussion, I think perhaps a key point has been lost:
>>>
>>> Why is the CABforum involved in this?
>>>
>>> The CABforum does not assign country codes, nor is it responsible for defining the countryName attribute (that’s in ITU-T X.520 | ISO/IEC 9594-6). I don’t see why the CABforum should consider itself free to change that definition and I don’t see why people should be asking it to.
>>>
>>> Even if it was permitted, would it be wise? The CABforum is not well suited to be determining the existence or names of countries, especially in contentious cases, and there are a lot of contentious cases in this area. An important function of the ISO 3166 Maintenance Agency is to enfold these contentious cases in careful bureaucracy and to come up with a result that, while it might not be agreed to be the correct result, or the desirable result, is at least agreed to be the result.
>>>
>> Geoff,
>>
>> The CA/B Form is involved because I presented an EU legal document that mandates using "C=EL" and "C=UK" as exceptions to the ISO-3166, in X.509 Certificates. Check my e-mail sent on March 17th. Just to restate the problem, the current BRs dictate using the two-letter country codes in ISO-3166-1 for the Subject Information. This creates a conflict if there is a case where a subject is required to use one of the other country identifiers, like the referenced 1505/2015 commission implementing decision.
> I believe this has been covered elsewhere in the discussion; the requirement in that decision applies only to Member States, not CAs, and only to a specific notification from the member to the EC, not to certificates. So there is no conflict there.
>
> An organization is free to say 'we will use our own codes for some countries for our internal purposes'. This is their choice to not use the standard. However it does not change the standard, and they cannot truthfully state that the result is standard-conforming.
>
>> These two countries have been using these identifiers for years and have broadly been used in legal documents and official correspondence in the European Union. As I am sure you are quite aware, you can't get more bureaucracy than the EU, so for these identifiers to be included in legal documents, it means that all the proper agencies have approved this. I presented one of possibly hundreds of documents using these identifiers but the one I posted is very closely related to X.509 digital certificates.
> The ISO is the relevant authority, and they have not approved.
Is there a citation suggesting that ISO is the relevant authority or
that they have not approved (not sure exactly what)? Again, if we leave
out the "C=EL" for Greece, "C=UK" is listed in the ISO3166-1 in the
exceptionally reserved list. What does that mean for you? That ISO has
somehow "approved" the use of this indicator?
>
> I also do not see where the EU has actually approved, requested, suggested, or even hinted at the use of this value in certificates. A specific reference would be needed.
Looking the other way won't change the fact that these well-defined
exceptions have been properly documented in the 1501/2015 decision. I
have not read the minutes of the corresponding EU proceedings but it is
strange you suggesting they were not properly requested, suggested and
approved through the official EU channels.
>
>> I agree that ISO-3166-1 is a great place to start but if there are specific exceptions to it, like the ones specified in the 1505/2015 decision, coming from organizations like the EU, IMHO they should be respected.
> Even if, counterfactually, the EU had said they would prefer these values in certificates, what justification does the EU have to do so? They are not the ISO and do not produce the relevant standards and did not assign the OID. It would be inappropriate for them to try to alter an ISO standard without going through the ISO process. It would also be inappropriate for them to bring the CABforum into any disagreement they are having with the ISO, or for the CABforum to permit itself to be used that way.
The justification is that the EU and Member States can decide how they
want to be represented without depending on the ISO process. I am not
familiar with ISO processes and whether Greece has applied to reserve
the "EL" but I think your argument does not stand for "UK". I also can't
see how the ISO OIDs are relevant to this discussion.
>
> Likewise Greece; but Greece is literally the last country in the world that I can imagine saying that an international body should be ignored in favor of a country's preferred nomenclature, because of their dispute over Macedonia.
This is clearly a political statement that is out of the Forum's usual
line of arguments (at least for the years I participate). I may have a
personal opinion on political issues (about "FYROM") but refrain from
making political statements in a technically oriented standards group
like the CA/B Forum. Having said that, I will not judge right or wrong
or question the reasoning behind official EU, Greek, US laws. I think
this is also in the spirit of 9.16.3 where "local law" supersedes the
BRs in case of a conflict between the two. I suggest we avoid making
similar political statements.
More information about the Public
mailing list