Frank Hecker wrote: > TÜRKTRUST has applied to add two root CA certificates to the Mozilla > root store, as documented in the following bug: > > https://bugzilla.mozilla.org/show_bug.cgi?id=380635 > > and propose to approve this request in two weeks time after a public > discussion period. If you have any objections, or know of facts which > might influence this decision, please make them known before then. > Hi Frank,
I've gone through the bug information and read the third revision of the CPS of TÜRKTRUST. As usual I have a few questions to you concerning this application. - Audit statement/confirmation is from the *June 2005* supplied by the CA. So the Mozilla CA policy doesn't require re-audits, shouldn't initial audits be fairly recent? Maybe they have a newer confirmation than this one? - Under 4.2.1 it says: "*No authentication* shall be made when processing applications for trial certificates." However as I understand, this trial certificates are issued from the same root. This is a problem which has also been highlighted by Gerv already in the bug itself. The answer supplied at comment https://bugzilla.mozilla.org/show_bug.cgi?id=380635#c29 was: "You understand trial(i.e. test) certificates wrong I guess. The trial certificates are given without fee. They are not valid under Law since they are not qualified thus spoofing does not bother." There was no follow up on this since you (Frank) took over the bug from Gerv. I'd expect this not to be acceptable according to the Mozilla CA policy section 7 for SSL-enabled servers (and code signing as well), since in the same section it says: "When processing a server certificate application, the domain name that belongs to the server, the server’s name and the name of the domain owner and personal information for the server administrator should be verified by TÜRKTRUST’s registration authorities." In case a so called "trial" certificate is processed and no authentication is performed, this means that also domain ownership verification is impossible. No alternative validation for domain ownership is provided either. Only email addresses are validated by an email ping. Does this mean that only S/MIME certificates are issued as "trial" certificates? It doesn't say that anywhere in their CPS, therefore I assume that it applies to all types of certificates. -- Non specific to this bug -- - Not relevant or conditional to the Mozilla CA policy, however how can a period of three years guaranty in any form even that the domain name is still under the same owner? I know this should be discussed outside of this inclusion request, but I would like to mention the fact that certificates issued for longer than one year (under certain circumstances even less) might result in a valid certificate in the wrong hands. Scenario: Buy a popular domain name for one year, acquire a certificate for three years (or more at certain CAs), let the domain expire and have it bought by somebody else...This is something I also would like to have addressed in some form in a future revision of the Mozilla CA policy (note for myself). - How are non-latin characters interpreted? There is no provision in the Mozilla CA policy, nevertheless this is something which might be interesting to know how this is handled by this CA (and other CAs in that situation). Can problems arise if non-latin letters are used and how would this affect the larger audience of Mozilla (outside of Turkey)? -- Regards Signer: Eddy Nigg, StartCom Ltd. <http://www.startcom.org> Jabber: [EMAIL PROTECTED] <xmpp:[EMAIL PROTECTED]> Blog: Join the Revolution! <http://blog.startcom.org> Phone: +1.213.341.0390 _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
