Hi Mert Özarar, Thank you for your participation here! Please allow me a few notes and suggestions.
Mert Özarar (TÜRKTRUST) wrote: > Answer > ----------- > The audit statement has been taken from the first audit date which was > on June 2005. The Turkish Telecommunications Authority visits us > annually. Comment #38 will guide you that this process has been > completed for 2007. We can supply the official letter for this year's > audit. Besides we have already agreed on this subject with Gerv. > Yes, I've followed the bug entries and have read the relevant comments. I would suggest to submit the most recent audit statement. > IMPORTANT Answer > ------------------------------ > I think there was a misunderstanding at so called "trial > certificates". Trial certificates are a type of certificates which are > not valid under Turkish Law. As you suppose, "digital certificate" > concept is quite a new topic for most of the countries except USA or > EU. The past of digital certificates entitled by Turkish Government is > just 2.5 years. We have started to give trial certificates after our > establishment for educational and promotional purposes. People who > have gathered trial certificates can use and learn at the same time > the aim of Public Key Infrastructure. They are NOT in the same > template with "Qualified Electronic Certificates"(QEC). Besides, the > root of the qualified certificates is completely DIFFERENT. As I wrote to the list earlier, I suggest to omit the trial certificates entirely from the main CP/CPS and publish a dedicated CP/CPS for the CA root which issues the trial certificate. The CP/CPS is the legal contract for all involved parties and therefore this is critical. Alternatively I suggest to update the current CP/CPS to clearly indicate that the trial certificates operate under a completely different CA root which should not be imported into browsers except for testing purpose. Even better would be to perform minimal validations even for the test certificates, but obviously this is entirely your decision. > Unfortunately, we are converting out web site to English and it will > end in a month time. I think this will be extremely helpful! > Answer > ----------- > As you have mentioned, this should be discussed outside of this > inclusion request even though I am quite agree with you. But it is an > open question since what a CA will do if someone acquires a 1 year > certificate and expires at the 9th month? > Yes, I'm aware of this obviously, but there is still a difference between a few month and a few years. Most of the times, registrars keep previous domain names protected for a certain time in order to give the original owner the chance to renew the contract with the registrar. Additionally time plays a role when a potential attacker has the chance to carefully plan and implement the attack (I'm speaking about potentially 2 years in this case). A possible solution could be to have the owner of the domain buy the domain for the respective period in which case only a transfer of domain ownership would be possible (as opposed to expiration). > Answer > ----------- > No problem can occur if the standard defined by X.509 and ASN.1 > encodings are carefully carried out and implemented likewise in our > case. UTF8String is a simple ASN.1 string type identified by the > UNIVERSAL TAG number 12 and all the characters in Turkish exist in > UTF8. Hence I think there is no trouble at that point. That's correct, however most of the potential users of Mozilla software don't know Turkish nor the Turkish letters and the question really is, how this should be handled from the point of view of Mozilla. What if tomorrow a CA from -Insert Country Here- issues certificates in Russian, Arabic, Hebrew, Chinese, Japanese etc letters...? Frank, this one is for you... -- Regards Signer: Eddy Nigg, StartCom Ltd. <http://www.startcom.org> Jabber: [EMAIL PROTECTED] <xmpp:[EMAIL PROTECTED]> Blog: Join the Revolution! <http://blog.startcom.org> Phone: +1.213.341.0390 _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
