Closed Bug 1007683 Opened 11 years ago Closed 9 years ago

Add TÜRKTRUST Root CA for TÜRKTRUST Root Hierarchy 5 and 6

Categories

(CA Program :: CA Certificate Root Program, task)

Product:
CA Program
Component:
CA Certificate Root Program
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: mert.ozarar, Assigned: kathleen.a.wilson)

References

Details

(Whiteboard: EV - In Firefox 42, NSS 3.19.3; EV enabled in Firefox 44)

Attachments

(4 files, 2 obsolete files)

Bugzilla_H6.docx
49.78 KB, application/vnd.openxmlformats-officedocument.wordprocessingml.document
Details
Initial CA Information Document
93.05 KB, application/pdf
Details
1007683-CAInformation.pdf
217.45 KB, application/pdf
Details
complete-1007683-CAInformation.pdf
223.92 KB, application/pdf
Details
Attached file Bugzilla_H6.docx
User Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.131 Safari/537.36 Steps to reproduce: We have already produced and declared a new root hierarchy and we obviously want to add this 5th hierarchy to Mozilla store, as well. We have attached a file which answers the questions given at the URL: https://wiki.mozilla.org/CA:Information_checklist Expected results: The new root hierarchy should be included to Mozilla Root CA Store as included previously.
A little over a year ago, TÜRKTRUST misissued intermediate certificates, creating a MITM vulnerability. This was discovered in a report by Google. TÜRKTRUST appears to have delayed reporting the problem. To what extent has an outside, independent audit specifically determined that such lapses will not occur again? Reference: <https://blog.mozilla.org/security/2013/01/03/revoking-trust-in-two-turktrust-certficates/>
I am accepting this bug, and will work on it as soon as possible, but I have a large backlog. https://wiki.mozilla.org/CA:Schedule#Requests_in_the_Information_Gathering_and_Verification_Phase I will update this bug when I begin the Information Verification phase. https://wiki.mozilla.org/CA:How_to_apply#Information_Verification
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Thanks for information. Please note that the main aim of this root is going to issue EV SSL certificates to end-entities. (I've just seen some EV flags in the URL https://wiki.mozilla.org/CA:Schedule#Requests_in_the_Information_Gathering_and_Verification_Phase that's why I wanted to mention)
I'm going to combine bug #1007682 with this bug.
Summary: Add TÜRKTRUST Root CA for TÜRKTRUST Root Hierarchy 6 → Add TÜRKTRUST Root CA for TÜRKTRUST Root Hierarchy 5 and 6
The attached document summarizes the information that has been verified. The items highlighted in yellow indicate where further information or clarification is needed. Please review the full document for accuracy and completeness, and provide the necessary information in this bug.
Whiteboard: EV - information incomplete
Please also complete the EV testing as described here: https://wiki.mozilla.org/PSM:EV_Testing_Easy_Version
Our recent updates about the status of TURKTRUST H5 and H6 roots are found below. Update of CA Primary Point of Contact (POC) info: e-mail_1: volkan.nergiz@turktrust.com.tr e-mail_2: burak.kalkan@turktrust.com.tr Email Alias: ssl@turktrust.com.tr CA Phone Number: +90 312 439 10 00 About “Comment 6” of 2014-06-23: 1) The OCSP problems regarding H5 and H6 on the below test web sites are solved. https://testsuite12001.turktrust.com.tr https://testsuite12002.turktrust.com.tr 2) The following e-mail address prefixes are used for domain verification of both DV and OV certificates: "admin", "administrator", "webmaster", "hostmaster" or "postmaster". 3) Domain/e-mail validation is performed by TURKTRUST CA and is not delegated to any third party. 4) Generated private keys are “not” distributed in PKCS#12 files. 5) CRLs are not generated with critical CIDP extentions. 6) About “Lack of communication with end users” item: TURKTRUST is contactable by public customer services phone number 0850 222 444 6 and e-mail address ssl@turktrust.com.tr which are openly announced on TURKTRUST website http://www.turktrust.com.tr, and accepts and acts upon complaints made by, those relying on its assertions of identity. This includes being responsive to members of the general public, including people who have not purchased products from TURKTRUST. 7) About “Backdating the notBefore date” item: The notBefore date of an SSL certificate issued by TURKTRUST is its issuance time. About “Comment 7” of 2014-06-23: The EV testing as described in https://wiki.mozilla.org/PSM:EV_Testing_Easy_Version is performed successfully for H6. We are looking forward to progressing in our root inclusion and EV enabling process for Mozilla soon. Please promptly respond us if there is any other additional information to be supplied on our side.
This link is no longer working: http://www.turktrust.com.tr/en/kok_sertifika_kurulumu2.html What is the new url?
I have entered the information for this request into SalesForce. Please review the attached document for accuracy and completeness.
About “Comment 9” of 2015-02-03 New URL for this page is ; http://www.turktrust.com.tr/en/bilgi-deposu/kok-sertifikalari-kurulumu-ve-iptal-listeleri/ About “Comment 10” of 2015-02-03 We are not issuing any new SHA-1 intermediate or end-entity certificates and we do not have any active SHA-1 intermediate certificates in use. About “Comment 11” of 2015-02-03 Attached document has been reviewed and it is confirmed that it’s accurate and complete. After the verification of the answers above in this comment, “Need Response From CA” areas of the document should be updated.
Attached file complete-1007683-CAInformation.pdf (obsolete) —
I will try to start the discussion soon. https://wiki.mozilla.org/CA:Schedule#Queue_for_Public_Discussion
Whiteboard: EV - information incomplete → EV - Ready for Public Discussion
Fixed a copy-paste error regarding root hierarchy information.
Attachment #8562953 - Attachment is obsolete: true
I am now opening the first public discussion period for this request from TurkTrust to include the SHA-256 “TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H5” and “TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H6” root certificates; turn on the Websites trust bit for both roots, turn on the Code Signing trust bit for the H5 root, and enable EV treatment for the H6 root. TurkTrust’s SHA-1 root certificates were included in NSS via Bugzilla Bug #380635 and Bug #433845. For a description of the public discussion phase, see https://wiki.mozilla.org/CA:How_to_apply#Public_discussion Public discussion will be in the mozilla.dev.security.policy newsgroup and the corresponding dev-security-policy@lists.mozilla.org mailing list. The discussion thread is called “TurkTrust Root Renewal Request”. Please actively review, respond, and contribute to the discussion. A representative of TurkTrust must promptly respond directly in the discussion thread to all questions that are posted.
Whiteboard: EV - Ready for Public Discussion → EV - In public discussion
Attachment #8564145 - Attachment is obsolete: true
Attachment #8564145 - Attachment is patch: false
Attachment #8564145 - Attachment mime type: text/plain → application/pdf
Attachment #8564145 - Attachment description: 685128-CAInformation.pdf → spam copied from bug 685128-CAInformation.pdf
The public comment period for this request is now over. This request has been evaluated as per Mozilla’s CA Certificate Inclusion Policy at https://www.mozilla.org/about/governance/policies/security-group/certs/policy/inclusion/ Here follows a summary of the assessment. If anyone sees any factual errors, please point them out. Inclusion Policy Section 4 [Technical]. I am not aware of instances where TurkTrust has knowingly issued certificates for fraudulent use. If anyone knows of any such issues or instances, please note them in this bug. Inclusion Policy Section 6 [Relevance and Policy]. TurkTrust appears to provide a service relevant to Mozilla users. It is an IT company based in Turkey. TÜRKTRUST is an authorized qualified electronic certificate service provider according to the Turkish Electronic Signature Law. TÜRKTRUST issues qualified certificates, time-stamping services, SSL certificates, and object signing certificates. TurkTrust's SHA-1 root certificates were included in NSS via Bugzilla Bug #380635 and Bug #433845. == Root Certificate 1 of 2 == Root Certificate Name: TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H5 O From Issuer Field: TÜRKTRUST Bilgi İletişim ve Bilişim Güvenliği Hizmetleri A.Ş. Trust Bits: Code; Websites EV Policy OID(s): Not EV Root Certificate Download URL: http://www.turktrust.com.tr/sertifikalar/TURKTRUST_Elektronik_Sertifika_Hizmet_Saglayicisi_h5.crt Certificate Summary: The H5 root has internally-operated subCAs that issue SSL and Code Signing certificates. Certificate Revocation CRL URL(s): http://www.turktrust.com.tr/sil/TURKTRUST_SSL_SIL_h5.crl http://www.turktrust.com.tr/sil/TURKTRUST_Kok_SIL_h5.crl OCSP URL(s): http://ocsp.turktrust.com.tr Inclusion Policy Section 18 [Certificate Hierarchy] CA Hierarchy: http://www.turktrust.com.tr/en/bilgi-deposu/kok-sertifikalari-kurulumu-ve-iptal-listeleri/ TURKTRUST ECSP 5. ROOT HIERARCHY Root: TURKTRUST Electronic Certificate Service Provider Certificate SSL subCA: TURKTRUST Electronic Server Certificate Services Certificate Non-QEC subCA: TURKTRUST Simple Electronic Certificate Services Certificate Code-Signing subCA: TURKTRUST Object Signing Services Certificate Externally Operated SubCAs: None. None planned. Cross Signing: None. None planned. == == Root Certificate 2 of 2 == Root Certificate Name: TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H6 O From Issuer Field: TÜRKTRUST Bilgi İletişim ve Bilişim Güvenliği Hizmetleri A.Ş. Trust Bits: Websites EV Policy OID(s): 2.16.792.3.0.3.1.1.5 Root Certificate Download URL: http://www.turktrust.com.tr/sertifikalar/TURKTRUST_Elektronik_Sertifika_Hizmet_Saglayicisi_h6.crt Certificate Summary: The H6 root has an internally-operated subCA that issues EV SSL certificates. Certificate Revocation CRL URL(s): http://www.turktrust.com.tr/sil/TURKTRUST_EV_SSL_SIL_h6.crl http://www.turktrust.com.tr/sil/TURKTRUST_Kok_SIL_h6.crl OCSP URL(s): http://ocsp.turktrust.com.tr Inclusion Policy Section 18 [Certificate Hierarchy] CA Hierarchy: http://www.turktrust.com.tr/en/bilgi-deposu/kok-sertifikalari-kurulumu-ve-iptal-listeleri/ TURKTRUST ECSP 6. ROOT HIERARCHY Root: TURKTRUST Electronic Certificate Service Provider Certificate EV SSL subCA: TURKTRUST Electronic Server Certificate Services Certificate (EVSSL) Externally Operated SubCAs: None. None planned. Cross Signing: None. None planned. == CA Document Repository: http://www.turktrust.com.tr/en/bilgi-deposu CP: http://dl.turktrust.com.tr/pdf/TURKTRUST-CP-v09-SSL.pdf CPS: http://dl.turktrust.com.tr/pdf/TURKTRUST-CP-v09-SSL.pdf Inclusion Policy Section 7 [Validation]. TurkTrust appears to meet the minimum requirements for subscriber verification, as follows: * SSL Verification Procedures: Domain/e-mail validation is performed by TURKTRUST CA and is not delegated to any third party. The following e-mail address prefixes are used for domain verification: "admin", "administrator", "webmaster", "hostmaster" or "postmaster". According to CPS section 3.2.2.1, for SSL and OSC applications, different control steps are applied depending on whether the request is domestic or foreign. The residential address of the subscriber is based on while determining of such distinction. Subscribers’ legal existence and credentials, domain name, applicant’s representative’s and application’s existence, CSR information and so forth informations should be verified This verification is done with a unique user name and activation code sent to the authorized person’s e-mail address. CPS section 3.2.2.2 describes the verification procedures for EV SSL certs. * Email Verification Procedures: Not requesting the Email trust bit. * Code Signing Subscriber Verification Procedure: According to CPS Section 1.2, TURKTRUST OSC Policy (2.16.792.3.0.3.1.1.4) covers certificates related to object signing operations. OSC is issued and maintained in conformity with “Normalized Certificate Policy” defined in ETSI TS 102 042. CPS sections 3.1.5.3 and 3.2.2 describe how TURKTRUST verifies the identity and authority of the certificate subscriber. Inclusion Policy Sections 11-14 [Audit]. Annual audits are performed by TUVIT, according to the ETSI TS 102 042 criteria. https://www.tuvit.de/en/certification-overview-1265-trusted-site-etsi-certificates-1334.htm Based on this assessment I intend to approve this request from TURKTRUST to include the SHA-256 "TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H5" and "TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H6" root certificates; turn on the Websites trust bit for both roots, turn on the Code Signing trust bit for the H5 root, and enable EV treatment for the H6 root.
Whiteboard: EV - In public discussion → EV - Pending Approval
As per the summary in Comment #18, and on behalf of Mozilla I approve this request from TURKTRUST to include the following root certificates: ** “TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H5” (websites, code signing) ** "TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H6” (websites), enable EV I will file the NSS and PSM bugs for the approved changes.
Whiteboard: EV - Pending Approval → EV - Approved - awaiting NSS and PSM changes
Depends on: 1147672
Depends on: 1147675
I have filed bug #1147672 against NSS and bug #1147675 against PSM for the actual changes.
Whiteboard: EV - Approved - awaiting NSS and PSM changes → EV - In Firefox 42, NSS 3.19.3 - awaiting PSM changes
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Whiteboard: EV - In Firefox 42, NSS 3.19.3 - awaiting PSM changes → EV - In Firefox 42, NSS 3.19.3; EV enabled in Firefox 44
Product: mozilla.org → NSS
Product: NSS → CA Program
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: