Now we have re-validated also C and L values. Today C values are limited using small pre-defined set. Today L values are checked against pre-approved value set that has been approved with evidence by Registration Officer like documented in comment 5. Previously L checking was similar than visual ST checking and thus some values become invalid. But not any more. In re-check we found these new problems related to C and L:
C: There was one value "SV" instead of "SE". At the time it was detected and renewed but the invalid certificate forgotten to be revoked then. We revoked it now. Case was documented in our security documentation then. No other C problems existed. The problem certificate was https://crt.sh/?id=346615481. Current primary system prevents non-preapproved values like this: "ERROR: Request contains invalid country code "SV"". One side process still allows to order free two-char value but the Registration officer should accept the wrong value. Anyway, we'll soon improve that code to use only pre-approved codes there also to minimize the risk.
L: In addition to the value "FI" in comment 7 there was one case that had value "Default city" and one that had value "LahiTapiola" that is not a geolocation but a postal office name. All three invalid ones were created before the current process to prevent non-predefined values. All other L values were normal geolocations. We believe that our pre-approval method efficiently prevents all invalid values. There are no errors after it came to use. All invalid certificates are now revoked within 5 days. Details of the new ones are https://crt.sh/?id=351011048, https://crt.sh/?id=308413403
Summary: Now all our old SSL certificate ST, L and C values have been re-checked, 6 invalid ones are soon revoked and there are existing methods to prevent similar errors in the future. The primary prevention methods are mandatory pre-approval of L/C and the decision to not use ST at all.
The complexity regarding validating state:
Finish province or "maakunta" concept is very unclear and not actively used any more in Finland. And there are no public registers that could be used to validate if the given ST value is correct or not for a particular L value. Wikipedia: "Between 1634 and 2009, Finland was administered as several provinces....Its makeup was changed drastically in 1997, when the number of the provinces was reduced from twelve to six....The provinces were eventually abolished at the end of 2009." When we still let Customers to use ST the values were quite often rubbish. There is no sense that ST should be used in Finland. The important fact is that they can't be verified officially. You could use some historical borders but is that right? Normal way to uniquely provide address in Finland is like my company is registered in official (country level) registers:
Telia Finland Oyj = O
TEOLLISUUSKATU 15 = street
00510 HELSINKI = postalcode locality
No ST never used! If we must start using ST again we have to simply convert C value to its longer country name. I suppose that kind of ST usage is allowed (but useless)? For these reasons it is much better to avoid ST completely. I understand that in some other countries like USA, ST is useful or even mandatory addition. Note! Now politicians are again planning to create new province borders to Finland. But those will not be the traditional ones.