@joepie91

The answer is of course "it's complicated".

At a first approximation, the UN decides who is and isn't a state. ISO syncs 3166 with the UN's position. ICANN does more or less the same for the DNS root, with some infrastructural and historical exceptions.

@joepie91

The issue of certificates is a matter of the CA's policy, which for widely-trusted CAs means a policy identical to that of CA/Browser Forum, which I assume simply tracks ICANN's list. That is, if the TLD is in the DNS, then widely-trusted CAs are likely to be willing to issue certificates.

Your question then boils down to how ICANN handles corner cases. Do you have one in mind?

@joepie91

(I'd point out that there have been more complicated situations in the past where CAs were concerned about verifying the legal identity of their customers, which required information about how to do that in many jurisdictions, which required a finding of who could speak on behalf of the local Internet community.

@joepie91

This was usually straightforward, but broke for Christmas Island for example for several years (because the TLD registry was insolvent, there was no relevant civil society group, and the relevant Australian regulator had no clue), meaning that widely-trusted TLS certificates were simply unavailable for .cx domains. Domain Verified (DV) certificates of the type that Let's Encrypt issues now end-run this problem entirely of course.)