subject:countryName value when verified country doesn't have an ISO 3166-1 country code

[robplee]

The text for subject:countryName in 7.1.4.2.2.n says that if a Subject's verified country doesn't have an ISO 3166-1 country code then "the CA MAY specify the ISO 3166-1 user-assigned code of XX". Is that the only thing that is permitted or that should be permitted to include as a countryName in this case?

By the current text of the SMIME BRs I don't think there's anything stopping a CA putting the name of the country in the countryName field as long as it's not got an ISO code. The text says the CA MAY do that but that means that they don't have to.

If the Black Panther wanted an SMIME certificate, could a CA issue a certificate containing a subject:countryName attribute with the value "Wakanda"? That is the country that the Black Panther is from, and assuming the CA could be provided with sufficient evidence to meet the standards of verification defined by Section 3.2.3 or 3.2.4, I think the SMIME BRs allow a CA to do this by the current text. Wakanda does not have an ISO 3166-1 country code*, so by the BRs the CA MAY include an attribute with the "XX" code, but (by the current text of the BRs) I don't think they are obliged to if they are including a countryName.

* yes, I did check.

[srdavidson]

See srdavidson@86134be