Closed
Bug 1262809
Opened 8 years ago
Closed 7 years ago
TUBITAK Kamu Sertifikasyon Merkezi - New Root Certificate
Categories
(CA Program :: CA Certificate Root Program, task)
CA Program
CA Certificate Root Program
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: tugba.ozcan, Assigned: kwilson)
References
Details
(Whiteboard: Added in NSS 3.30.2, Firefox 54 and NSS 3.28.5, ESR 52.2. Constrained to *.gov.tr, *.k12.tr, etc.)
Attachments
(19 files, 5 obsolete files)
|
54.70 KB,
application/vnd.openxmlformats-officedocument.wordprocessingml.document
|
Details | |
|
194.68 KB,
application/pdf
|
Details | |
|
1.10 KB,
application/x-x509-ca-cert
|
Details | |
|
158.99 KB,
application/pdf
|
Details | |
|
263.62 KB,
application/pdf
|
Details | |
|
163.87 KB,
application/pdf
|
Details | |
|
938.02 KB,
application/pdf
|
Details | |
|
926.87 KB,
application/pdf
|
Details | |
|
894.56 KB,
application/pdf
|
Details | |
|
441.13 KB,
application/pdf
|
Details | |
|
574.48 KB,
application/pdf
|
Details | |
|
577.16 KB,
application/pkcs7-signature
|
Details | |
|
3.17 MB,
application/pdf
|
Details | |
|
3.17 MB,
application/pkcs7-signature
|
Details | |
|
447.94 KB,
application/pdf
|
Details | |
|
2.97 MB,
application/pkcs7-signature
|
Details | |
|
402.79 KB,
application/pdf
|
Details | |
|
397.40 KB,
application/pdf
|
Details | |
|
154.36 KB,
application/pdf
|
Details |
CA Details: Kamu SM (Government Certification Authority) is a government-owned Certificate Authority (CA) in Turkey operated in compliance with the international standards. CA Name: Kamu Sertifikasyon Merkezi Website: http://www.kamusm.gov.tr/ (Turkish Only) Auditor: Information and Communications Technologies Authority (ICTA) Audit Type: According to sections 9 of Mozilla’s CA Certificate Inclusion Policy, our CA had an audit report from ICTA. ICTA is declared as the regularity and auditing body for electronic certificate service providers in Turkey by the Turkish Electronic Signature Law. And also according to section 10 and 11 of Mozilla’s CA Certificate Inclusion Policy, our audit report states that our government CA complies with ETSI TS 101 456, ETSI TS 102 042 and CA/Browser Forum Baseline Requirements. The last audit date was April, 30.12.2015 Auditor Website: http://www.btk.gov.tr/tr-TR/Anasayfa Certificate URL: http://www.btk.gov.tr/File/?path=ROOT%2f1%2fDocuments%2fPages%2fSectors%2f%C4%B0nformation+Technologies+Sector%2fTUB%C4%B0TAK+yetkilendirme.pdf Certificate Details ------------------- Certificate Name: TUBITAK Kamu SM SSL Kok Sertifikası – Surum 1 CN = TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1 OU = Kamu Sertifikasyon Merkezi - Kamu SM O = Turkiye Bilimsel ve Teknolojik Arastirma Kurumu - TUBITAK L = Gebze - Kocaeli C = TR This is the SHA-2 version of currently included root “TÜBİTAK UEKAE Kök Sertifika Hizmet Sağlayıcısı - Sürüm 3”. We only update the signature algorithm RSA with SHA1 to RSA with SHA-256.Our purpose is issuing OV SLL certificates to major government entities in Turkey. Certificate download URL (on CA website): http://depo.kamusm.gov.tr/ssl/SSLKOKSM.S1.cer Version: v3 SHA1 Fingerprint: 31 43 64 9b ec ce 27 ec ed 3a 3f 0b 8f 0d e4 e8 91 dd ee ca Public key length (for RSA, modulus length) in bits: Valid From (YYYY-MM-DD):25.11.2013 Valid To (YYYY-MM-DD):25.10.2043 CRL HTTP URL: http://depo.kamusm.gov.tr/ssl/SSLSIL.S1.crl CRL issuing frequency for subordinate end-entity certificates: CRL issuing frequency for subordinate CA certificates: OCSP URL: http://ocspssls1.kamusm.gov.tr Class (domain-validated, identity/organizationally-validated or EV):identity/organizationally-validated Certificate Policy URL: http://depo.kamusm.gov.tr/ilke/ CPS URL:http://depo.kamusm.gov.tr/ilke/ Requested Trust Indicators (email and/or SSL and/or code signing): URL of example website using certificate subordinate to this root testssl.kamusm.gov.tr
|
Reporter | |
Comment 1•8 years ago
|
||
|
|
Reporter | |
Comment 2•8 years ago
|
||
|
|
Reporter | |
Comment 3•8 years ago
|
||
Dear Sirs; This is Tuğba from Kamu SM (Government CA of Turkey). I created this bug report regarding to submit our new root to Mozilla. You can find initial CA Information form, audit report and and our root certificate in attachment. If you require more information, please do not hesitate to contact
|
Assignee | |
Comment 4•8 years ago
|
||
I am beginning the Information Verification for this request. https://wiki.mozilla.org/CA:How_to_apply#Information_Verification
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
|
|
Assignee | |
Comment 5•8 years ago
|
||
What are the direct URLs to the CP and CPS in Turkish and English?
|
|
Reporter | |
Comment 6•8 years ago
|
||
You can find English CP and CPS document in address: http://depo.kamusm.gov.tr/ilke/KamuSM_CPS/KamuSM_CPS_En.pdf
|
|
Assignee | |
Comment 7•8 years ago
|
||
(In reply to Tuğba ÖZCAN from comment #6) > You can find English CP and CPS document in address: > > http://depo.kamusm.gov.tr/ilke/KamuSM_CPS/KamuSM_CPS_En.pdf Please provide the URL to the corresponding CP/CPS document in Turkish. (It's not clear to me which document the English translation is from.)
|
|
Assignee | |
Comment 8•8 years ago
|
||
I've entered the data for this request into the CA Community in SalesForce. Please review the attached document to ensure it is correct and complete, and provide corrections by posting comments in this bug. Note: I need to do the revocation test, but the http://certificate.revocationcheck.com/ website is currently down.
|
|
Assignee | |
Comment 9•8 years ago
|
||
(In reply to Kathleen Wilson from comment #8) > Created attachment 8747330 [details] > 1262809-CAInformation.pdf > > I've entered the data for this request into the CA Community in SalesForce. > > Please review the attached document to ensure it is correct and complete, > and provide corrections by posting comments in this bug. > > Note: I need to do the revocation test, but the > http://certificate.revocationcheck.com/ website is currently down. Tested, but errors returned: http://ocspssls1.kamusm.gov.tr (GET) http://ocspsslkoks1.kamusm.gov.tr (GET) OCSP service returned 'Malformed' Server Software: KSM OCSP Server/1.0 ThisUpdate not set (RFC 5019, section 6.2) NextUpdate not set (RFC 5019, section 2.2.4)
|
|
Assignee | |
Comment 10•8 years ago
|
||
Here's the URL to the test output: https://certificate.revocationcheck.com/testssl.kamusm.gov.tr
|
||
Comment 11•8 years ago
|
||
(In reply to Kathleen Wilson from comment #9) > (In reply to Kathleen Wilson from comment #8) > > Created attachment 8747330 [details] > > 1262809-CAInformation.pdf > > > > I've entered the data for this request into the CA Community in SalesForce. > > > > Please review the attached document to ensure it is correct and complete, > > and provide corrections by posting comments in this bug. > > > > Note: I need to do the revocation test, but the > > http://certificate.revocationcheck.com/ website is currently down. > > Tested, but errors returned: > http://ocspssls1.kamusm.gov.tr (GET) > http://ocspsslkoks1.kamusm.gov.tr (GET) > OCSP service returned 'Malformed' > > Server Software: KSM OCSP Server/1.0 > ThisUpdate not set (RFC 5019, section 6.2) > NextUpdate not set (RFC 5019, section 2.2.4) We get "ThisUpdate and NextUpdate not set" error for HTTP GET requests because currently we just respond to POST requests and will fix it immediately but as I realized, for also POST requests we get "NextUpdate not set" error. According to CAB Forum BR section 4.9.9, "OCSP responses MUST conform to RFC2560 and/or RFC5019" and we conform to RFC 2560. Therefore we do not include nextUpdate field for indicating that "newer revocation information is available all the time" as stated in section 2.4 of RFC 2560. So, is it enough to respond HTTP GET requests and be conformant to RFC 2560?
|
|
Assignee | |
Comment 12•8 years ago
|
||
(In reply to Tamer ERGUN from comment #11) > So, is it enough to respond HTTP GET requests and be conformant to RFC 2560? You are correct. According to rfc6960 the nextUpdate value is optional, but according to rfc5019 (OCSP Profile for High-Volume Environments) it's required. The revocationcheck site is tuned CA's for high volume environments. I will make a note that this is OK. Please update this bug when the other errors are resolved.
|
|
Assignee | |
Comment 13•8 years ago
|
||
Also... (In reply to Kathleen Wilson from comment #7) > (In reply to Tuğba ÖZCAN from comment #6) > > You can find English CP and CPS document in address: > > > > http://depo.kamusm.gov.tr/ilke/KamuSM_CPS/KamuSM_CPS_En.pdf > > Please provide the URL to the corresponding CP/CPS document in Turkish. > (It's not clear to me which document the English translation is from.)
|
|
Assignee | |
Comment 14•8 years ago
|
||
Also, Kamu SM has not responded to the March 2016 CA Communication: https://wiki.mozilla.org/CA:Communications#March_2016
|
|
Reporter | |
Comment 15•8 years ago
|
||
Hi Kathleen , We are sorry to late for survey, today we responded to the March 2016 CA Communication. Thanks a lot.
|
|
Reporter | |
Comment 16•8 years ago
|
||
Here is the URL to the corresponding CP/CPS document in Turkish: http://depo.kamusm.gov.tr/ilke/KamuSM_CPS/KamuSM_CPS_Tr.pdf Thanks
|
|
Reporter | |
Comment 17•8 years ago
|
||
(In reply to Kathleen Wilson from comment #13) > Also... > > (In reply to Kathleen Wilson from comment #7) > > (In reply to Tuğba ÖZCAN from comment #6) > > > You can find English CP and CPS document in address: > > > > > > http://depo.kamusm.gov.tr/ilke/KamuSM_CPS/KamuSM_CPS_En.pdf > > > > Please provide the URL to the corresponding CP/CPS document in Turkish. > > (It's not clear to me which document the English translation is from.) Hi Kathleen, We have fixed the error for HTTP GET requests,and tested it. Now, it seems OK. Thanks
|
|
Assignee | |
Comment 18•8 years ago
|
||
|
|
Assignee | |
Comment 19•8 years ago
|
||
This request has been added to the queue for public discussion. https://wiki.mozilla.org/CA:Schedule#Queue_for_Public_Discussion I will update this bug when I start the discussion.
Whiteboard: Ready for Public Discussion
|
|
Reporter | |
Comment 20•7 years ago
|
||
Hi Kathleen, I want to ask how much longer we wait for discussion? As we know,max duration in the queue is 2 months but we are waiting since May. So, we hesitated. Is there a problem about our application? Thanks a lot.
|
|
Assignee | |
Comment 21•7 years ago
|
||
Please let me know where you got the impression that the *maximum* duration in the queue is 2 months, so I can fix that. The timing is dependent on the other CA requests that are in the queue ahead of yours, and how promptly people are reviewing and commenting in the discussions. If you are not following the mozilla.dev.security.policy forum, then I recommend that you begin doing so. https://groups.google.com/d/msg/mozilla.dev.security.policy Also, it is a good idea to see what is requested of the CAs who are currently in the public discussion phase.
|
|
Reporter | |
Comment 22•7 years ago
|
||
I checked now, As I read before from https://wiki.mozilla.org/CA:How_to_apply, in Timeline part, Queue for Public Discussion 1 month and 2 months respectively, I got it as minumum and maximum cases. But now, I checked again and see those are best and typical cases. Also, thank you for your advice, it is a good idea to follow forum page.We will start to catch requests of the current CAs.
|
|
Reporter | |
Comment 23•7 years ago
|
||
|
|
Assignee | |
Comment 24•7 years ago
|
||
I have sent email to the auditor to confirm the authenticity of the audit statement. -- As per Mozilla's process when audit statements are provided by the CA (rather than being posted on the auditor's website or a site like webtrust.org).
|
|
Assignee | |
Comment 25•7 years ago
|
||
I received email from the auditor confirming the authenticity of the attached audit statement, and clarifying:
The roots and subroots audited according to the ETSI TS 102 042 v2.4.1 audit criteria and Baseline Requirements, here:
Root Name: TÜBİTAK UEKAE Kök Sertifika Hizmet Sağlayıcısı - Sürüm 3
SHA-256 Hash Value:e4c73430d7a5b50925df43370a0d216e9a79b9d6db8373a0c69eb1cc31c7c52a
Sub Root Name:Cihaz Sertifikası Hizmet Sağlayıcısı - Sürüm 4
SHA-256 Hash Value: 51d849fc27c5b3115bf056751b0c6afb4b2999e644c7bb2082a0b98d9058e28d
Root Name: TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1
SHA-256 Hash Value: 46edc3689046d53a453fb3104ab80dcaec658b2660ea1629dd7e867990648716
Sub Root Name: TUBITAK Kamu SM SSL Sertifika Hizmet Saglayicisi - Surum 1
SHA-256 Hash Value: 4571659aaf715c13ee703e3643dfcbaeee2d82110ca68eb57cb67ce0
... the audit period was 19.12.2015 – 19.12.2016.|
|
Assignee | |
Comment 26•7 years ago
|
||
Attachment #8755609 -
Attachment is obsolete: true
|
|
Assignee | |
Comment 27•7 years ago
|
||
I am now opening the public discussion period for this request from Kamu Sertifikasyon Merkezi (Kamu SM) to included the "TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1" root certificate and enable the Websites trust bit. For a description of the public discussion phase, see https://wiki.mozilla.org/CA:How_to_apply#Public_discussion Public discussion will be in the mozilla.dev.security.policy forum. https://groups.google.com/d/msg/mozilla.dev.security.policy/vjXyml8Hy-E/5JUs8e3YDAAJ The discussion thread is called "Include Renewed Kamu SM root certificate". Please actively review, respond, and contribute to the discussion. A representative of this CA must promptly respond directly in the discussion thread to all questions that are posted.
Whiteboard: Ready for Public Discussion → In Public Discussion
|
|
Reporter | |
Comment 28•7 years ago
|
||
We have created Test Website - Expired and Test Website Revoked for this new root. You can find in theese addresses: Revoked: https://testsslrevoked.kamusm.gov.tr/ Expired: https://testsslexpired.kamusm.gov.tr/
|
|
Assignee | |
Comment 29•7 years ago
|
||
|
|
Reporter | |
Comment 30•7 years ago
|
||
Hi Kathleen, Our updated CP/CPS documents in Turkish and in English are now in our web page. Here are the related links: http://depo.kamusm.gov.tr/ilke/KamuSM_CPS/KamuSM_CPS_En.pdf http://depo.kamusm.gov.tr/ilke/KamuSM_CPS/KamuSM_CPS_Tr.pdf Also I am adding last versions to this bug. Thanks a lot.
|
|
Reporter | |
Comment 31•7 years ago
|
||
|
|
Reporter | |
Comment 32•7 years ago
|
||
|
|
Assignee | |
Comment 33•7 years ago
|
||
The public comment period for this request is now over. This request has been evaluated as per Mozilla’s CA Certificate Policy at https://www.mozilla.org/about/governance/policies/security-group/certs/policy/ Here follows a summary of the assessment. If anyone sees any factual errors, please point them out. * Inclusion Policy Section 4 [Technical]. I am not aware of instances where the Government of Turkey, Kamu Sertifikasyon Merkezi (Kamu SM) has knowingly issued certificates for fraudulent use. If anyone knows of any such issues or instances, please note them in this bug. * Inclusion Policy Section 6 [Relevance and Policy]. Kamu SM appears to provide a service relevant to Mozilla users. Kamu SM is a government-owned Certificate Authority in Turkey operated in compliance with the international standards. Note that the CA has indicated that Mozilla may constrain this root cert to the following TLDs: gov.tr, k12.tr, pol.tr, mil.tr, tsk.tr, kep.tr, bel.tr, edu.tr and org.tr As a government CA that only issues certificates to government-owned domains (restricted to the TLDs listed above), Kamu SM does not issue any certificates outside of Turkey. Root Certificate Name: TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1 O From Issuer Field: Turkiye Bilimsel ve Teknolojik Arastirma Kurumu - TUBITAK Trust Bits: Websites EV Policy OID: Not EV Root Certificate Download URL: https://bugzilla.mozilla.org/attachment.cgi?id=8738995 http://depo.kamusm.gov.tr/ssl/SSLKOKSM.S1.cer Certificate Hierarchy This root certificate has internally operated subordinate CAs that issue SSL end-entity certificates. Certificate Revocation CRL URLs: http://depo.kamusm.gov.tr/ssl/SSLSIL.S1.crl http://depo.kamusm.gov.tr/ssl/SSLKOKSIL.S1.crl SSL CP/CPS Section 4.9.7: CRL for end-entity certs is valid for maximum of 36 hours. OCSP URLs: http://ocspssls1.kamusm.gov.tr http://ocspsslkoks1.kamusm.gov.tr * The primary document, the SSL CP/CPS, is provided in both Turkish and English. Document Repository: http://depo.kamusm.gov.tr/ilke/ SSL CP/CPS: http://depo.kamusm.gov.tr/ilke/KamuSM_CPS/KamuSM_CPS_Tr.pdf http://depo.kamusm.gov.tr/ilke/KamuSM_CPS/KamuSM_CPS_En.pdf * Inclusion Policy Section 7 [Validation] Kamu SM appears to meet the minimum requirements for subscriber verification, as follows: ** SSL Verification Procedures: According to section 3.2.2 of the SSL CPS, Kamu SM verifies the domain name by checking nic.tr (the domain name registrar in Turkey), communicating directly with the Domain Name Registrant using an email or telephone number provided by nic.tr, and requesting and verifying an agreed-upon change to information found on an online web page identified by a uniform resource identifier containing the full domain name. ** Email Verification Procedures: Not requesting the Email trust bit * Audit: Annual audits are performed by Information and Communications Technologies Authority (ICTA) according to the ETSI TS 102 042 v2.4.1 criteria. Audit Statement: https://bug1262809.bmoattachments.org/attachment.cgi?id=8819839 I received email from the auditor confirming the authenticity of the audit statement. Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=1262809#c25 * Potentially Problematic Practices: None Noted (http://wiki.mozilla.org/CA:Problematic_Practices) Based on this assessment I intend to approve this request from Kamu SM to include the "TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1" root certificate, and enable the Websites trust bit.
Severity: major → enhancement
Whiteboard: In Public Discussion → Pending Approval
|
|
Assignee | |
Comment 34•7 years ago
|
||
As per the summary in Comment #33, and on behalf of Mozilla I approve this request from the Government of Turkey, Kamu Sertifikasyon Merkezi (Kamu SM) to include the following root certificate: ** "TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1" (Websites) I will file the NSS bug for the approved change to include this root cert and constrain it to the following TLDs: gov.tr, k12.tr, pol.tr, mil.tr, tsk.tr, kep.tr, bel.tr, edu.tr and org.tr
Whiteboard: Pending Approval → [ca-approved] Pending NSS changes
|
|
Assignee | |
Comment 35•7 years ago
|
||
I have filed bug #1349705 against NSS for the actual change.
|
|
Assignee | |
Updated•7 years ago
|
Whiteboard: [ca-approved] Pending NSS changes → [ca-approved] Pending NSS changes - Constrain to *.gov.tr, *.k12.tr, etc.
|
|
Assignee | |
Updated•7 years ago
|
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Whiteboard: [ca-approved] Pending NSS changes - Constrain to *.gov.tr, *.k12.tr, etc. → Added in NSS 3.30.2, Firefox 54 and NSS 3.28.5, ESR 52.2. Constrained to *.gov.tr, *.k12.tr, etc.
|
||
Updated•7 years ago
|
Product: mozilla.org → NSS
|
|
Reporter | |
Comment 36•6 years ago
|
||
|
||
Comment 37•5 years ago
|
||
Our audit report which is valid to 30.11.2020 (Next full audit will have been performed on 30.11.2019).
|
|
||
Comment 38•5 years ago
|
||
Our audit report (signed by auditor representative) which is valid to 30.11.2020 (Next full audit will have been performed on 30.11.2019).
|
|
||
Comment 39•5 years ago
|
||
Our eIDAS certificate which is valid to 30.11.2020 (Next full audit will have been performed on 30.11.2019).
|
|
||
Comment 40•5 years ago
|
||
Our eIDAS certificate (signed by auditor representative) which is valid to 30.11.2020 (Next full audit will have been performed on 30.11.2019).
|
|
||
Comment 41•5 years ago
|
||
All audit documents for download and CCADB Case.
|
|
||
Updated•5 years ago
|
Attachment #9029921 -
Attachment is obsolete: true
|
|
||
Updated•5 years ago
|
Attachment #9029923 -
Attachment is obsolete: true
|
|
||
Updated•5 years ago
|
Attachment #9029927 -
Attachment is obsolete: true
|
|
||
Comment 42•5 years ago
|
||
Our audit report which is valid to 30.11.2020 (Next full audit will have been performed on 30.11.2019)
|
|
||
Comment 43•5 years ago
|
||
Our audit report (signed by auditor representative) which is valid to 30.11.2020 (Next full audit will have been performed on 30.11.2019).
|
||
Comment 44•4 years ago
|
||
Our audit report is attached.
|
|
||
Comment 45•4 years ago
|
||
Our signed audit report is attached.
|
||
Comment 46•3 years ago
|
||
Preliminary Audit Report
|
|
||
Comment 47•2 years ago
|
||
Preliminary Audit Report - 2021
|
|
||
Comment 48•2 years ago
|
||
Attachment #9242456 -
Attachment is obsolete: true
|
||
Comment 49•1 year ago
|
||
Test audit report - validate via ALV
|
||
Updated•1 year ago
|
Product: NSS → CA Program
You need to log in
before you can comment on or make changes to this bug.
Description
•