[Servercert-wg] [EXTERNAL] State or Province

Bruce Morton Bruce.Morton at entrustdatacard.com
Tue Sep 3 17:31:42 MST 2019

Hi Tim,

I would be concerned if an applicant provides an address and the CA validates the address with a QIIS or QGIS. Then the CA would check ISO 3166-2 and find the state/province/whatever is not listed.

As ST is optional, the CA could still issue the certificate if the ST data is removed. I’m not sure that issuing a certificate with only some of the information that was validated would be a good idea.

There may also be the case where ISO 3166-2 provides data which is not used in addresses and cannot be validated with a third party.

It might be better to do some testing before implementing ISO 3166-2 as the limit.

Perhaps a starting position is that items in ISO 3166-2 may be used in the ST field.


On Sep 3, 2019, at 7:48 PM, Tim Hollebeek via Servercert-wg <servercert-wg at cabforum.org<mailto:servercert-wg at cabforum.org>> wrote:

It has come to my attention that the current baseline requirements are rather unclear about what is a valid state or province (subject:stateOrProvinceName [OID:]).  Lots of countries have what are effectively states or provinces, they just call them something else.

In order to provide bright, clear lines that everyone can comply with, it would be useful to point to an existing standard, and ISO 3166-2 seems like just the thing to point to.  Hopefully the ISO folks have already figured out all the crazy, weird corner cases for us.

Does anyone have a good reason why stateOrProvinceName should NOT be required to comply with ISO 3166-2?  Other comments or concerns?

WARNING: This email originated outside of Entrust Datacard.
DO NOT CLICK links or attachments unless you trust the sender and know the content is safe.

Servercert-wg mailing list
Servercert-wg at cabforum.org<mailto:Servercert-wg at cabforum.org>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20190904/80e1eb0b/attachment.html>

More information about the Servercert-wg mailing list