[Servercert-wg] [EXTERNAL] State or Province

Ryan Sleevi sleevi at google.com
Thu Sep 5 07:53:50 MST 2019

On Thu, Sep 5, 2019 at 10:09 AM Richard Smith <rich at sectigo.com> wrote:

> Jeremy said:
> The idea is to answer questions about whether England is a state in the UK:
> https://censys.io/certificates/fbb3010c9d3f9ce6ec16ad7062f6c5b6d502c1e2ca35b2a594afbcb3dee5af28
> (aside – what is the answer on this one. Is England allowed in the state
> field?)
> You’re not really helping your case with this question.  Looking at the
> standard:
> https://www.iso.org/obp/ui/#iso:code:3166:GB
> I can’t answer your question.  Is the proposed requirement only that there
> be some defined sub-division matching what’s proposed for the ST field?

I think, yes, the goal is to find an appropriate/consistent subdivision
expression as to what should be registered here.

> OK, then yes, England is acceptable.  But wait, 3166-2 says England is a
> country.  That’s not a state or a province.  How about right below England
> on the page, we have England and Wales.  Is that acceptable for the ST
> field?  But 3166-2 says that’s a nation.  That’s not a state or a province
> either.  And BTW what the heck is the difference (from the perspective of
> this ISO standard) between a country and a nation, because I’ve always
> thought they were synonyms.  I guess someone, either in the UK, or over at
> ISO would disagree.

Right, to be clear, I agree 100% with Jeremy that we should get it to a
MUST and absolutely should get consistency. The question is, as you point
out, consistency "with what". The challenge is that 3166-2 includes many
levels of hierarchy, not just "the immediate second".

However, this is a problem that CAs are already having to deal with, with
respect to stateOrProvince, so it's not that this is a new problem being
introduced, but rather, an attempt to formalize how existing CAs are
addressing this problem. Using the Kosovo example you mentioned, I totally
understand and appreciate the challenges of geopolitical complexity, but I
surely hope the answer is "Well, the world is messy, so CAs should be able
to do whatever they want". Surely, we find some path towards consistency?

ISO 3166-2 is useful in that:
1) It's widely used
2) It's externally maintained with a clear path to modifications
3) It keeps us (largely) out of the political challenges you mention

That said, we still need some form of consistent validation and encoding.
If 3166-2 isn't it, then I'm hoping alternative proposals can be offered.
I'd absolutely be happy haggling over which level of subdivision we use for
which country code, and I'm willing to bet if each CA spent a few hours of
their time, they could quickly dig through what countries they've included
(since at least we use the 3166-1 Alpha-2 here), and of those, what
stateOrProvinces they've included, and that they think are 'correct' or
'permissable'. From there, we can then move to discussing rules that
capture that reality, while bringing consistency.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20190905/ae6edd72/attachment.html>

More information about the Servercert-wg mailing list