Re: TURKTRUST root CA certificate inclusion request

Frank Hecker wrote: > I've therefore signaled my approval of this > application in bug 380635, and will proceed to file an NSS bug for > inclusion of the actual root CA certs. Filed bug 410821 for inclusion of the TURKTRUST certs into NSS: https://bugzilla.mozilla.org/show_bug.cgi?id=410821

Re: TURKTRUST root CA certificate inclusion request

Frank Hecker wrote: > TÜRKTRUST has applied to add two root CA certificates to the Mozilla > root store, as documented in the following bug: > > https://bugzilla.mozilla.org/show_bug.cgi?id=380635 > > and in the pending certificates list here: > > http://www.mozilla.org/projects/security/cer

Re: TURKTRUST root CA certificate inclusion request

I agree with this. Just because I can't read it doesn't mean that it's wrong. If someone capable of and trusted to verify the authenticity has done the due diligence, I say leave it at that. On Dec 6, 2007 12:50 PM, Gervase Markham <[EMAIL PROTECTED]> wrote: > Eddy Nigg (StartCom Ltd.) wrote: >

Re: TURKTRUST root CA certificate inclusion request

Michael Ströder wrote: > Well, I think if the CA clearly states in its CP/CPS that the users > (subscribers and relying participants) of the issued certificates SHALL > be solely "local" users it does not matter whether Mozilla is a product > used globally. But for most CAs issuing SSL/TLS certs th

Re: TURKTRUST root CA certificate inclusion request

Eddy Nigg (StartCom Ltd.) wrote: > Michael Ströder wrote: >> I agree with Eddy on this. When defining cert profiles for CAs I always >> take into consideration the set of relying participants. If the certs >> are to be used globally they SHOULD be readable to the international >> public like other

Re: TURKTRUST root CA certificate inclusion request

Michael Ströder wrote: > I agree with Eddy on this. When defining cert profiles for CAs I always > take into consideration the set of relying participants. If the certs > are to be used globally they SHOULD be readable to the international > public like other international legal documents. This is

Re: TURKTRUST root CA certificate inclusion request

Eddy Nigg (StartCom Ltd.) wrote: > > Now, you are right that this is certainly fine for people in the > knowledge of the respective language and character set. But what about > the rest? How can somebody make a judgment on the basis of the > certificate details if the vast majority can't read it?

Re: TURKTRUST root CA certificate inclusion request

Gervase Markham wrote: > Eddy Nigg (StartCom Ltd.) wrote: >> Exactly! And if the majority shouldn't trust a certificate with such a >> subject, neither should Mozilla (policy wise)! >> > > That doesn't follow. If we include a certificate from a Turkish CA which > has a Turkish subject line,

Re: TURKTRUST root CA certificate inclusion request

Eddy Nigg (StartCom Ltd.) wrote: > Gervase Markham wrote: >> Eddy Nigg (StartCom Ltd.) wrote: >> >>> I explained it before. Because YOU can't read the subject line >>> /C=ישראל/ST=דרום/O=סטארטקום בע"מ/CN=אדי ניק >>> It's completely useless to you. >> >> Absolutely. So I would seriously cons

Re: TURKTRUST root CA certificate inclusion request

Gervase Markham wrote: > Eddy Nigg (StartCom Ltd.) wrote: > >> I explained it before. Because YOU can't read the subject line >> /C=ישראל/ST=דרום/O=סטארטקום בע"מ/CN=אדי ניק >> It's completely useless to you. >> > > Absolutely. So I would seriously consider not trusting a site with such >

Re: TURKTRUST root CA certificate inclusion request

Eddy Nigg (StartCom Ltd.) wrote: > I explained it before. Because YOU can't read the subject line > /C=ישראל/ST=דרום/O=סטארטקום בע"מ/CN=אדי ניק > It's completely useless to you. Absolutely. So I would seriously consider not trusting a site with such a subject line. > A passport or internationa

Re: TURKTRUST root CA certificate inclusion request

Hi Gerv, Gervase Markham wrote: > How did a discussion about avoiding homograph spoofing turn into a > suggestion that we only allow Latin characters? > Did you follow the thread actually? But I'd suggest we move this discussion to a new thread since it's not related to this inclusion request

Re: TURKTRUST root CA certificate inclusion request

Hi Mert Özarar, Mert Özarar (TÜRKTRUST) wrote: > Our English website (beta version) is ready and have been uploaded > under domain. http://www.turktrust.com.tr/e/ is the current URL... Very nice, congratulations on that! > "http://www.turktrust.com.tr/e/en51.jsp"; gives the current trust > hiera

Re: TURKTRUST root CA certificate inclusion request

Eddy Nigg (StartCom Ltd.) wrote: > Pure ASCII / Latin characters would do...do we need a spec for that? How did a discussion about avoiding homograph spoofing turn into a suggestion that we only allow Latin characters? That's entirely unreasonable. We've spent years working on things like IDN t

Re: TURKTRUST root CA certificate inclusion request

dear All, Once again thank you very much for your ideas, efforts and support for our case. We are quite delighted with the overall performance of this group and decided to follow up other topics in the group as well to increase our knowledge and experience on the target subjects to add value on ou

Re: TURKTRUST root CA certificate inclusion request

Hasse wrote: > In article <[EMAIL PROTECTED]>, Eddy Nigg (StartCom Ltd.) wrote... > >> I'm arguing that in this specific case >> you can't please everybody. Also passports and international driving >> licenses have English (Latin characters) translations. I view >> certificates as an *internati

Re: TURKTRUST root CA certificate inclusion request

Hasse wrote: >> I'm arguing that in this specific case >> you can't please everybody. Also passports and international driving >> licenses have English (Latin characters) translations. I view >> certificates as an *international* document - exactly like the documents >> I mentioned above. >>

Re: TURKTRUST root CA certificate inclusion request

On Nov 30, 2007 8:51 PM, David E. Ross <[EMAIL PROTECTED]> wrote: > On 11/30/2007 5:54 PM, Eddy Nigg (StartCom Ltd.) wrote: > > Gervase Markham wrote: > >> Eddy Nigg (StartCom Ltd.) wrote: > >> > >>> I think what Jean-Marc (and me previously) meant, is not related to > the > >>> domain name or ema

Re: TURKTRUST root CA certificate inclusion request

In article <[EMAIL PROTECTED]>, Eddy Nigg (StartCom Ltd.) wrote... > I'm arguing that in this specific case > you can't please everybody. Also passports and international driving > licenses have English (Latin characters) translations. I view > certificates as an *international* document - exac

Re: TURKTRUST root CA certificate inclusion request

David E. Ross wrote: > > C is Israel. O appears to end (reading right-to-left) with a number, > perhaps 72 40. (This is without referring to a template of the X.509 > subject line.) Without the vowels, I can't read the rest. > Actually when having the subject converted to ASN.1 encoding accor

Re: TURKTRUST root CA certificate inclusion request

On 12/1/2007 2:44 PM, Eddy Nigg (StartCom Ltd.) wrote: > David E. Ross wrote: >> Remember, ASCII stands for American Standard Code for Information >> Interchange. Unless the X.509 specifications require it, we should >> avoid ethnocenterism. >> > I understand what you mean here, but X.509 is a

Re: TURKTRUST root CA certificate inclusion request

David E. Ross wrote: > > Remember, ASCII stands for American Standard Code for Information > Interchange. Unless the X.509 specifications require it, we should > avoid ethnocenterism. > I understand what you mean here, but X.509 is a technical standard, in this case about how to print somethi

Re: TURKTRUST root CA certificate inclusion request

On 11/30/2007 5:54 PM, Eddy Nigg (StartCom Ltd.) wrote: > Gervase Markham wrote: >> Eddy Nigg (StartCom Ltd.) wrote: >> >>> I think what Jean-Marc (and me previously) meant, is not related to the >>> domain name or email address but about the other details in the subject >>> line. Obviously th

Re: TURKTRUST root CA certificate inclusion request

Eddy Nigg (StartCom Ltd.) wrote: > Nelson Bolyard wrote: >> Regarding TurkTrust, if (as they say) the test certs come from a CA >> that chains up a separate, untrusted root, then all is well. But >> perhaps you could ask for a test cert and its chain, just to make sure >> it doesn't chain up to a

Re: TURKTRUST root CA certificate inclusion request

Nelson Bolyard wrote: > Regarding TurkTrust, if (as they say) the test certs come from a CA > that chains up a separate, untrusted root, then all is well. But > perhaps you could ask for a test cert and its chain, just to make sure > it doesn't chain up to a to-be-trusted root? In my opinion this

Re: TURKTRUST root CA certificate inclusion request

Gervase Markham wrote: > Eddy Nigg (StartCom Ltd.) wrote: > >> I think what Jean-Marc (and me previously) meant, is not related to the >> domain name or email address but about the other details in the subject >> line. Obviously the CN (or emailAddress) field is to be verified >> accordingly.

Re: TURKTRUST root CA certificate inclusion request

Frank Hecker wrote: > Nelson B Bolyard wrote: >> Frank Hecker wrote: >>> For the record, I am pretty sure that we have CAs already in the >>> root list that have issued test certs under their hierarchies. >>> IIRC the last instance of this I saw was a CA that had a >>> subordinate CA used to testin

Re: TURKTRUST root CA certificate inclusion request

Eddy Nigg (StartCom Ltd.) wrote: > I think what Jean-Marc (and me previously) meant, is not related to the > domain name or email address but about the other details in the subject > line. Obviously the CN (or emailAddress) field is to be verified > accordingly... Oh, I see. Yes, it's definitel

Re: TURKTRUST root CA certificate inclusion request

Nelson B Bolyard wrote: > Frank Hecker wrote: > >> For the record, I am pretty sure that we have CAs already in the root >> list that have issued test certs under their hierarchies. IIRC the last >> instance of this I saw was a CA that had a subordinate CA used to >> testing purposes, under the

Re: TURKTRUST root CA certificate inclusion request

Nelson B Bolyard wrote: > Frank Hecker wrote: >> For the record, I am pretty sure that we have CAs already in the root >> list that have issued test certs under their hierarchies. IIRC the last >> instance of this I saw was a CA that had a subordinate CA used to >> testing purposes, under the ro

Re: TURKTRUST root CA certificate inclusion request

Frank Hecker wrote: > For the record, I am pretty sure that we have CAs already in the root > list that have issued test certs under their hierarchies. IIRC the last > instance of this I saw was a CA that had a subordinate CA used to > testing purposes, under the root CA that we include. (But a

Re: TURKTRUST root CA certificate inclusion request

Gervase Markham wrote: > Jean-Marc Desperrier wrote: > >> Maybe it would be adequate to require that the CA applies a policy that >> lowers the risk of homograph spoofing attacks. >> > > I've actually opposed this in the past. Homograph spoofing avoidance > policies are the domain of reg

Re: TURKTRUST root CA certificate inclusion request

Jean-Marc Desperrier wrote: > Maybe it would be adequate to require that the CA applies a policy that > lowers the risk of homograph spoofing attacks. I've actually opposed this in the past. Homograph spoofing avoidance policies are the domain of registries, not CAs. These checks should be don

Re: TURKTRUST root CA certificate inclusion request

Frank Hecker wrote: > I honestly don't know what the current status is, either with regard to > support for non US-ASCII strings within certs, or use of such strings by > CAs. I've made a note of this on the "CA recommended practices" wiki > page, as a reminder. > Frank, I used the "Discussio

Re: TURKTRUST root CA certificate inclusion request

Jean-Marc Desperrier wrote re using different character sets within certificates: > Maybe it would be adequate to require that the CA applies a policy that > lowers the risk of homograph spoofing attacks. Nameprep and the IDN > language-specific registration policy applicable to the language(s)

Re: TURKTRUST root CA certificate inclusion request

Frank Hecker wrote: > Given that, why should we object to CAs putting Chinese, etc., names in > end entity certificates, as long as there is an appropriate technical > mechanism to make this work? [...] > [...] Since most of those users won't speak English, it makes sense > for domain names, na

Re: TURKTRUST root CA certificate inclusion request

Frank Hecker wrote: > > Since you asked me to comment... > > First, is this question about names included in end entity certificates? > (For example, a CA issuing an SSL server certificate to an organization, > and having the organization's name within the certificate being in > Turkish, or Hebr

Re: TURKTRUST root CA certificate inclusion request

Eddy Nigg (StartCom Ltd.) wrote: > That's correct, however most of the potential users of Mozilla software > don't know Turkish nor the Turkish letters and the question really is, > how this should be handled from the point of view of Mozilla. What if > tomorrow a CA from -Insert Country Here- i

Re: TURKTRUST root CA certificate inclusion request

Hi Mert Özarar, Thank you for your participation here! Please allow me a few notes and suggestions. Mert Özarar (TÜRKTRUST) wrote: > Answer > --- > The audit statement has been taken from the first audit date which was > on June 2005. The Turkish Telecommunications Authority visits us >

Re: TURKTRUST root CA certificate inclusion request

Hi Frank, Frank Hecker wrote: > I'll ask the TÜRKTRUST representative more about the test certificates. > However as a general matter I'm not sure that a CA issuing test > certificates under a hierarchy is a real matter of concern, as long as > distribution of such certs and the associated priva

Re: TURKTRUST root CA certificate inclusion request

C.J. Adams-Collier wrote: > I don't feel comfortable with the approval of inclusion based on an > obsoleted document, though. If the applicant could be requested to publish > the most recent daft as HTML, PDF or plain text, the public would be able to > review the document, and I would feel more c

Re: TURKTRUST root CA certificate inclusion request

Eddy Nigg (StartCom Ltd.) wrote: > C.J. Adams-Collier wrote: >> I am concerned, however, that TÜRKTRUST would even consider using a >> production CA to issue "test" certificates. > Using an intermediate CA wouldn't solve this problem (as you call it, > sibling?), but an unrelated CA root would.

Re: TURKTRUST root CA certificate inclusion request

Dear Mr. Nigg, First of all, thank you very much for your efforts and invaluable comments on out inclusion. I will briefly explain your questions and observations in this post. Please take care the lines starting with Answer --- Thank you very much again for your support. Best regards, M

Re: TURKTRUST root CA certificate inclusion request

On Nov 26, 11:17 am, "Eddy Nigg (StartCom Ltd.)" <[EMAIL PROTECTED]> wrote: > Upon request I tried to add the "Third Version of TURKTRUST-CPS (email > verification revised)" in PDF format, however it exceeds 300Kb :S > > What kind of limit is that? Anyway, will send it directly to whomever > reques

Re: TURKTRUST root CA certificate inclusion request

Upon request I tried to add the "Third Version of TURKTRUST-CPS (email verification revised)" in PDF format, however it exceeds 300Kb :S What kind of limit is that? Anyway, will send it directly to whomever requests it... -- Regards Signer: Eddy Nigg, StartCom Ltd.

Re: TURKTRUST root CA certificate inclusion request

On Nov 25, 2007 3:10 AM, Eddy Nigg (StartCom Ltd.) <[EMAIL PROTECTED]> wrote: > Using an intermediate CA wouldn't solve this problem (as you call it, > sibling?), but an unrelated CA root would. > I would have referred to an intermediate CA cert as a "child" or "sub" CA cert. By "unrelated" (you

Re: TURKTRUST root CA certificate inclusion request

C.J. Adams-Collier wrote: > Hey there Frank, Eddy, auditors of all colors, > > I personally feel uncomfortable with the approval of this application > prior to resolution of the section 7 violation Eddy and Gerv have > noted. Also, the CPS is a .doc file... could we get a file format > that can

Re: TURKTRUST root CA certificate inclusion request

Hey there Frank, Eddy, auditors of all colors, I personally feel uncomfortable with the approval of this application prior to resolution of the section 7 violation Eddy and Gerv have noted. Also, the CPS is a .doc file... could we get a file format that can be reviewed by the public, please? HTM

Re: TURKTRUST root CA certificate inclusion request

Frank Hecker wrote: > TÜRKTRUST has applied to add two root CA certificates to the Mozilla > root store, as documented in the following bug: > >https://bugzilla.mozilla.org/show_bug.cgi?id=380635 > > and propose to approve this request in two weeks time after a public > discussion period. If y

TURKTRUST root CA certificate inclusion request

TÜRKTRUST has applied to add two root CA certificates to the Mozilla root store, as documented in the following bug: https://bugzilla.mozilla.org/show_bug.cgi?id=380635 and in the pending certificates list here: http://www.mozilla.org/projects/security/certs/pending/#T%C3%9CRKTRUST I have