Hi Frank, Frank Hecker wrote: > I'll ask the TÜRKTRUST representative more about the test certificates. > However as a general matter I'm not sure that a CA issuing test > certificates under a hierarchy is a real matter of concern, as long as > distribution of such certs and the associated private keys are suitably > controlled. > > As I understand from Mert ÖZARAR's response, the so called trial certificates aren't issued from the same CA root, which is good! However their CPS doesn't say this clearly and I assume that the CP doesn't either. However we can't tell, since nobody has seen the CP. But the CP (and to some extend the CPS) is the legal contract for all involved parties, being it the CA, its subscribers, relying parties and in this respect Mozilla (as a super relying party).
In light of this information, I suggest that TURKTRUST updated their CP and CPS accordingly and perhaps remove the reference to the test certificates altogether. Perhaps a different CP/CPS for the trial certificates would be better. Since efforts are made to get away as much as possible from self-signed and "untrusted" CA roots, the best solution would be however that *any* certificate issued by TURKTRUST, including trial and test certificates, would be at least email/domain validated. Also relying parties wouldn't get confused as why cert A might be recognized by the browser(s) and cert B not (having to either click through the errors or importing the CA root in question, which obviously shouldn't be recommended at all). Additionally I suggest to wait for an English version of their web site. The representative of TURKTRUST indicated that it will be due within a month time. I have visited their site and tried to gain some information which is almost impossible without knowing Turkish ;-) (I also intend to reply to posting made by Mert ÖZARAR a.s.a.p) -- Regards Signer: Eddy Nigg, StartCom Ltd. <http://www.startcom.org> Jabber: [EMAIL PROTECTED] <xmpp:[EMAIL PROTECTED]> Blog: Join the Revolution! <http://blog.startcom.org> Phone: +1.213.341.0390 _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
