(In response to george in comment 27)
So when was the first certificate in this batch approved? I'm struggling to see how a certificate that expired on the 24th of June has made it into the batch if you're only scanning valid certificates?
What is being reviewed is a pull of all issued EV certificates as of the day prior to us putting in a code change to only allow a specific set of approved entries into the State field. Because this review is being done on a specific report, pulled on a specific date (I'm sorry that I don't know the exact date), it's possible that, as in this case, some of the certificates have expired since that report was extracted. Robin has mostly been handling the posting of finalized batches, but as he is out of the office today, I took over. I wasn't sure whether or not to include the expired certificate but chose to do so in the interest of transparency.
(In response to Matthias in comment 28)
Your statement implies that BR 18.104.22.168 option 2 is used, but can be overridden by a CA operator without going through option 1, 3 or 4
You are assuming that all (any?) of the possible sources listed in 22.214.171.124 actually strictly follow ISO 3166-2. That is a faulty assumption, even when dealing with government agencies. There is a very small set of countries for which I have fairly high confidence that most if not all sources will match state/province information with what is listed in ISO 3166-2. There is another small subset, UK among them, for which I know things on the ground are all over the place and are just as likely not to have anything to do with what's officially listed in ISO 3166-2. Then add to that the use of completely different character sets such as Cyrillic, Kanji, etc. ISO utilizes UTF8, but it's basically a subset of UTF8 that I would characterize as roman alphabet plus diacritical marks not full native language/characters. Sectigo, I think correctly, allows full native language and native character set, but that's yet another bit that requires review from this dataset.
I do not believe that the statement "that's a historical subdivision widely accepted as correct"
Again, you are making a faulty assumption that just because one small group within a particular country's government decides to publish a list to ISO means that is the be all end all. The reality is it's not. Even among different departments of the same government they don't necessarily adhere to that standard. You need look no further than UK Companies House for numerous illustrations. It's complicated which is why the CA/B Forum has floated the idea of requiring CAs to adhere to ISO 3166-2 for the state/province field, but has not made the decision to make that a requirement. Requiring strict adherence to ISO 3166-2 would certainly make my job easier, but I'm not sure it would necessarily make everything more accurate.