Dear Mr. Nigg, First of all, thank you very much for your efforts and invaluable comments on out inclusion. I will briefly explain your questions and observations in this post. Please take care the lines starting with Answer ----------- Thank you very much again for your support. Best regards,
Mert ÖZARAR -------------------------------------------------------------------------------------------------------- Hi Frank, I've gone through the bug information and read the third revision of the CPS of TÜRKTRUST. As usual I have a few questions to you concerning this application. - Audit statement/confirmation is from the *June 2005* supplied by the CA. So the Mozilla CA policy doesn't require re-audits, shouldn't initial audits be fairly recent? Maybe they have a newer confirmation than this one? Answer ----------- The audit statement has been taken from the first audit date which was on June 2005. The Turkish Telecommunications Authority visits us annually. Comment #38 will guide you that this process has been completed for 2007. We can supply the official letter for this year's audit. Besides we have already agreed on this subject with Gerv. - Under 4.2.1 it says: "*No authentication* shall be made when processing applications for trial certificates." However as I understand, this trial certificates are issued from the same root. This is a problem which has also been highlighted by Gerv already in the bug itself. The answer supplied at comment https://bugzilla.mozilla.org/show_bug.cgi?id=380635#c29 was: "You understand trial(i.e. test) certificates wrong I guess. The trial certificates are given without fee. They are not valid under Law since they are not qualified thus spoofing does not bother." There was no follow up on this since you (Frank) took over the bug from Gerv. I'd expect this not to be acceptable according to the for SSL-enabled servers (and code signing as well), since in the same section it says: "When processing a server certificate application, the domain name that belongs to the server, the server's name and the name of the domain owner and personal information for the server administrator should be verified by TÜRKTRUST's registration authorities." In case a so called "trial" certificate is processed and no authentication is performed, this means that also domain ownership verification is impossible. No alternative validation for domain ownership is provided either. Only email addresses are validated by an email ping. Does this mean that only S/MIME certificates are issued as "trial" certificates? It doesn't say that anywhere in their CPS, therefore I assume that it applies to all types of certificates. IMPORTANT Answer ------------------------------ I think there was a misunderstanding at so called "trial certificates". Trial certificates are a type of certificates which are not valid under Turkish Law. As you suppose, "digital certificate" concept is quite a new topic for most of the countries except USA or EU. The past of digital certificates entitled by Turkish Government is just 2.5 years. We have started to give trial certificates after our establishment for educational and promotional purposes. People who have gathered trial certificates can use and learn at the same time the aim of Public Key Infrastructure. They are NOT in the same template with "Qualified Electronic Certificates"(QEC). Besides, the root of the qualified certificates is completely DIFFERENT. Thus, since all your arguments on trial certificates were assuming the same root with QEC, I think there is no problem with Mozilla CA policy section 7 as well. Unfortunately, we are converting out web site to English and it will end in a month time. But the Turkish citizens or our customers who can speak Turkish can reach the URL that is about TURKTRUST root certificates and trust hierarchy: http://www.turktrust.com.tr/yrd_ksr.jsp Here at the last line it states; "TÜRKTRUST deneme sertifikalarına ait Deneme Sertifikası Kökünü yüklemek için buraya tıklayınız." The exact English translation is "Please click here to load the root certificate which belongs to trial certificates issued by TURKTRUST". Hence, it can be understood that the trial certificates are signed by another dedicated root other than QEC. -- Non specific to this bug -- - Not relevant or conditional to the Mozilla CA policy, however how can a period of three years guaranty in any form even that the domain name is still under the same owner? I know this should be discussed outside of this inclusion request, but I would like to mention the fact that certificates issued for longer than one year (under certain circumstances even less) might result in a valid certificate in the wrong hands. Scenario: Buy a popular domain name for one year, acquire a certificate for three years (or more at certain CAs), let the domain expire and have it bought by somebody else...This is something I also would like to have addressed in some form in a future revision of the Mozilla CA policy (note for myself). Answer ----------- As you have mentioned, this should be discussed outside of this inclusion request even though I am quite agree with you. But it is an open question since what a CA will do if someone acquires a 1 year certificate and expires at the 9th month? - How are non-latin characters interpreted? There is no provision in the Mozilla CA policy, nevertheless this is something which might be interesting to know how this is handled by this CA (and other CAs in that situation). Can problems arise if non-latin letters are used and how would this affect the larger audience of Mozilla (outside of Turkey)? Answer ----------- No problem can occur if the standard defined by X.509 and ASN.1 encodings are carefully carried out and implemented likewise in our case. UTF8String is a simple ASN.1 string type identified by the UNIVERSAL TAG number 12 and all the characters in Turkish exist in UTF8. Hence I think there is no trouble at that point. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
