[Servercert-wg] [EXTERNAL] State or Province

Richard Smith rich at sectigo.com
Thu Sep 5 06:13:06 MST 2019

I’ve thought about introducing this myself, but on review and reflection I think ISO 3166-2 is better suited to being a SHOULD than a MUST.  It’s a good tool to implement for flagging a request for additional scrutiny when there is a deviation from it, but I don’t think it should be a hard blocker, for a variety of reasons.


From: Servercert-wg <servercert-wg-bounces at cabforum.org> On Behalf Of Bruce Morton via Servercert-wg
Sent: Tuesday, September 3, 2019 7:32 PM
To: Tim Hollebeek <tim.hollebeek at digicert.com>; CA/B Forum Server Certificate WG Public Discussion List <servercert-wg at cabforum.org>
Subject: Re: [Servercert-wg] [EXTERNAL] State or Province

Hi Tim,

I would be concerned if an applicant provides an address and the CA validates the address with a QIIS or QGIS. Then the CA would check ISO 3166-2 and find the state/province/whatever is not listed.

As ST is optional, the CA could still issue the certificate if the ST data is removed. I’m not sure that issuing a certificate with only some of the information that was validated would be a good idea.

There may also be the case where ISO 3166-2 provides data which is not used in addresses and cannot be validated with a third party.

It might be better to do some testing before implementing ISO 3166-2 as the limit.

Perhaps a starting position is that items in ISO 3166-2 may be used in the ST field.


On Sep 3, 2019, at 7:48 PM, Tim Hollebeek via Servercert-wg <servercert-wg at cabforum.org<mailto:servercert-wg at cabforum.org>> wrote:

It has come to my attention that the current baseline requirements are rather unclear about what is a valid state or province (subject:stateOrProvinceName [OID:]).  Lots of countries have what are effectively states or provinces, they just call them something else.

In order to provide bright, clear lines that everyone can comply with, it would be useful to point to an existing standard, and ISO 3166-2 seems like just the thing to point to.  Hopefully the ISO folks have already figured out all the crazy, weird corner cases for us.

Does anyone have a good reason why stateOrProvinceName should NOT be required to comply with ISO 3166-2?  Other comments or concerns?

WARNING: This email originated outside of Entrust Datacard.
DO NOT CLICK links or attachments unless you trust the sender and know the content is safe.

Servercert-wg mailing list
Servercert-wg at cabforum.org<mailto:Servercert-wg at cabforum.org>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20190905/d7bc3ba8/attachment.html>

More information about the Servercert-wg mailing list