Hey there Frank, Eddy, auditors of all colors, I personally feel uncomfortable with the approval of this application prior to resolution of the section 7 violation Eddy and Gerv have noted. Also, the CPS is a .doc file... could we get a file format that can be reviewed by the public, please? HTML or plain text would be much more appealing.
https://bugzilla.mozilla.org/show_bug.cgi?id=380635#c29 One resolution for this issue (as I understand it) might would be for the requesting entity to create a sibling CA that is not shipped in the mozilla CA root. The sibling CA could then be used for these "test" certificates without triggering a section 7 violation. This type of approach is touched on in section 13. I am concerned, however, that TÜRKTRUST would even consider using a production CA to issue "test" certificates. Cheers, C.J. On Nov 22, 2007 7:03 AM, Eddy Nigg (StartCom Ltd.) < [EMAIL PROTECTED]> wrote: > Frank Hecker wrote: > > TÜRKTRUST has applied to add two root CA certificates to the Mozilla > > root store, as documented in the following bug: > > > > https://bugzilla.mozilla.org/show_bug.cgi?id=380635 > > > > and propose to approve this request in two weeks time after a public > > discussion period. If you have any objections, or know of facts which > > might influence this decision, please make them known before then. > > > Hi Frank, > > I've gone through the bug information and read the third revision of the > CPS of TÜRKTRUST. As usual I have a few questions to you concerning this > application. > > - Audit statement/confirmation is from the *June 2005* supplied by the > CA. So the Mozilla CA policy doesn't require re-audits, shouldn't > initial audits be fairly recent? Maybe they have a newer confirmation > than this one? > > - Under 4.2.1 it says: "*No authentication* shall be made when > processing applications for trial certificates." However as I > understand, this trial certificates are issued from the same root. This > is a problem which has also been highlighted by Gerv already in the bug > itself. > The answer supplied at comment > https://bugzilla.mozilla.org/show_bug.cgi?id=380635#c29 was: > > "You understand trial(i.e. test) certificates wrong I guess. The > trial certificates are given without fee. They are not valid under > Law since they are not qualified thus spoofing does not bother." > > There was no follow up on this since you (Frank) took over the bug from > Gerv. > > I'd expect this not to be acceptable according to the Mozilla CA policy > section 7 for SSL-enabled servers (and code signing as well), since in > the same section it says: "When processing a server certificate > application, the domain name that belongs to the server, the server's > name and the name of the domain owner and personal information for the > server administrator should be verified by TÜRKTRUST's registration > authorities." > In case a so called "trial" certificate is processed and no > authentication is performed, this means that also domain ownership > verification is impossible. No alternative validation for domain > ownership is provided either. Only email addresses are validated by an > email ping. > Does this mean that only S/MIME certificates are issued as "trial" > certificates? It doesn't say that anywhere in their CPS, therefore I > assume that it applies to all types of certificates. > > -- Non specific to this bug -- > > - Not relevant or conditional to the Mozilla CA policy, however how can > a period of three years guaranty in any form even that the domain name > is still under the same owner? I know this should be discussed outside > of this inclusion request, but I would like to mention the fact that > certificates issued for longer than one year (under certain > circumstances even less) might result in a valid certificate in the > wrong hands. Scenario: Buy a popular domain name for one year, acquire > a certificate for three years (or more at certain CAs), let the domain > expire and have it bought by somebody else...This is something I also > would like to have addressed in some form in a future revision of the > Mozilla CA policy (note for myself). > > - How are non-latin characters interpreted? There is no provision in the > Mozilla CA policy, nevertheless this is something which might be > interesting to know how this is handled by this CA (and other CAs in > that situation). Can problems arise if non-latin letters are used and > how would this affect the larger audience of Mozilla (outside of Turkey)? > > > -- > Regards > > Signer: Eddy Nigg, StartCom Ltd. <http://www.startcom.org> > Jabber: [EMAIL PROTECTED] <xmpp:[EMAIL PROTECTED]> > Blog: Join the Revolution! <http://blog.startcom.org > > Phone: +1.213.341.0390 > > > _______________________________________________ > dev-tech-crypto mailing list > dev-tech-crypto@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-tech-crypto > -- moo. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
