Eddy Nigg (StartCom Ltd.) wrote: > C.J. Adams-Collier wrote: <snip> >> I am concerned, however, that TÜRKTRUST would even consider using a >> production CA to issue "test" certificates. > Using an intermediate CA wouldn't solve this problem (as you call it, > sibling?), but an unrelated CA root would.
For the record, I am pretty sure that we have CAs already in the root list that have issued test certs under their hierarchies. IIRC the last instance of this I saw was a CA that had a subordinate CA used to testing purposes, under the root CA that we include. (But as you note, for our purposes a test certificate issued directly from a root CA is equivalent to a test certificate issued from a subordinate CA under that root. In both cases the test cert would be recognized as valid if the root CA cert were recognized as valid.) I'll ask the TÜRKTRUST representative more about the test certificates. However as a general matter I'm not sure that a CA issuing test certificates under a hierarchy is a real matter of concern, as long as distribution of such certs and the associated private keys are suitably controlled. > The CPS provided by this CA as in attachment > https://bugzilla.mozilla.org/attachment.cgi?id=286696 is in PDF format I > think.... Please don't use the CPS documents attached to the bug. The English version of the CPS is now available in PDF format directly from the TÜRKTRUST site: http://www.turktrust.com.tr/pdf/cps_third.pdf Frank -- Frank Hecker [EMAIL PROTECTED] _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
