TUBITAK Kamu Sertifikasyon Merkezi - New Root Certificate

RESOLVED FIXED

Status

task
RESOLVED FIXED
3 years ago
7 months ago

People

(Reporter: tugba.ozcan, Assigned: kwilson)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: Added in NSS 3.30.2, Firefox 54 and NSS 3.28.5, ESR 52.2. Constrained to *.gov.tr, *.k12.tr, etc.)

Attachments

(14 attachments, 4 obsolete attachments)

54.70 KB, application/vnd.openxmlformats-officedocument.wordprocessingml.document
Details
194.68 KB, application/pdf
Details
1.10 KB, application/x-x509-ca-cert
Details
158.99 KB, application/pdf
Details
263.62 KB, application/pdf
Details
163.87 KB, application/pdf
Details
938.02 KB, application/pdf
Details
926.87 KB, application/pdf
Details
894.56 KB, application/pdf
Details
441.13 KB, application/pdf
Details
574.48 KB, application/pdf
Details
577.16 KB, application/pkcs7-signature
Details
3.17 MB, application/pdf
Details
3.17 MB, application/pkcs7-signature
Details
CA Details:

Kamu SM (Government Certification Authority) is a government-owned Certificate Authority (CA) in Turkey operated in compliance with the international standards. 

CA Name:

Kamu Sertifikasyon Merkezi

Website:

http://www.kamusm.gov.tr/ (Turkish Only) 

Auditor: Information and Communications Technologies Authority (ICTA) 
Audit Type:  According to sections 9 of Mozilla’s CA Certificate Inclusion Policy, our CA had an audit report from ICTA. ICTA is declared as the regularity and auditing body for electronic certificate service providers in Turkey by the Turkish Electronic Signature Law. And also according to section 10 and 11 of Mozilla’s CA Certificate Inclusion Policy, our audit report states that our government CA complies with ETSI TS 101 456, ETSI TS 102 042 and CA/Browser Forum Baseline Requirements.
The last audit date was April, 30.12.2015 
Auditor  Website:    http://www.btk.gov.tr/tr-TR/Anasayfa 
Certificate URL: http://www.btk.gov.tr/File/?path=ROOT%2f1%2fDocuments%2fPages%2fSectors%2f%C4%B0nformation+Technologies+Sector%2fTUB%C4%B0TAK+yetkilendirme.pdf

Certificate Details
-------------------

Certificate Name:
TUBITAK Kamu SM SSL Kok Sertifikası – Surum 1
CN = TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1
OU = Kamu Sertifikasyon Merkezi - Kamu SM
O = Turkiye Bilimsel ve Teknolojik Arastirma Kurumu - TUBITAK
L = Gebze - Kocaeli
C = TR

This is the SHA-2 version of currently included root “TÜBİTAK UEKAE Kök Sertifika Hizmet Sağlayıcısı - Sürüm 3”. We only update the signature algorithm RSA with SHA1 to RSA with SHA-256.Our purpose is issuing OV SLL certificates to major government entities in Turkey.


Certificate download URL (on CA website):
http://depo.kamusm.gov.tr/ssl/SSLKOKSM.S1.cer 
Version: v3
SHA1 Fingerprint: 31 43 64 9b ec ce 27 ec ed 3a 3f 0b 8f 0d e4 e8 91 dd ee ca
Public key length (for RSA, modulus length) in bits: 
Valid From (YYYY-MM-DD):25.11.2013
Valid To (YYYY-MM-DD):25.10.2043


CRL HTTP URL: http://depo.kamusm.gov.tr/ssl/SSLSIL.S1.crl
CRL issuing frequency for subordinate end-entity certificates:
CRL issuing frequency for subordinate CA certificates:
OCSP URL: http://ocspssls1.kamusm.gov.tr 

Class (domain-validated, identity/organizationally-validated or EV):identity/organizationally-validated
Certificate Policy URL: http://depo.kamusm.gov.tr/ilke/
CPS URL:http://depo.kamusm.gov.tr/ilke/
Requested Trust Indicators (email and/or SSL and/or code signing):
URL of example website using certificate subordinate to this root
testssl.kamusm.gov.tr
Posted file AuditReport.pdf
Posted file New Root Cert
Dear Sirs;

This is Tuğba from Kamu SM (Government CA of Turkey).

I created this bug report regarding to submit our new root to Mozilla. You can find initial CA Information form, audit report and and our root certificate in attachment. 

If you require more information, please do not hesitate to contact
I am beginning the Information Verification for this request.
https://wiki.mozilla.org/CA:How_to_apply#Information_Verification
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
What are the direct URLs to the CP and CPS in Turkish and English?
You can find English CP and CPS document in address: 

http://depo.kamusm.gov.tr/ilke/KamuSM_CPS/KamuSM_CPS_En.pdf
(In reply to Tuğba ÖZCAN from comment #6)
> You can find English CP and CPS document in address: 
> 
> http://depo.kamusm.gov.tr/ilke/KamuSM_CPS/KamuSM_CPS_En.pdf

Please provide the URL to the corresponding CP/CPS document in Turkish.
(It's not clear to me which document the English translation is from.)
I've entered the data for this request into the CA Community in SalesForce.

Please review the attached document to ensure it is correct and complete, and provide corrections by posting comments in this bug.

Note: I need to do the revocation test, but the http://certificate.revocationcheck.com/ website is currently down.
(In reply to Kathleen Wilson from comment #8)
> Created attachment 8747330 [details]
> 1262809-CAInformation.pdf
> 
> I've entered the data for this request into the CA Community in SalesForce.
> 
> Please review the attached document to ensure it is correct and complete,
> and provide corrections by posting comments in this bug.
> 
> Note: I need to do the revocation test, but the
> http://certificate.revocationcheck.com/ website is currently down.

Tested, but errors returned:
http://ocspssls1.kamusm.gov.tr (GET)
http://ocspsslkoks1.kamusm.gov.tr (GET)
OCSP service returned 'Malformed'

Server Software: KSM OCSP Server/1.0
    ThisUpdate not set (RFC 5019, section 6.2)
    NextUpdate not set (RFC 5019, section 2.2.4)
Here's the URL to the test output:
https://certificate.revocationcheck.com/testssl.kamusm.gov.tr
(In reply to Kathleen Wilson from comment #9)
> (In reply to Kathleen Wilson from comment #8)
> > Created attachment 8747330 [details]
> > 1262809-CAInformation.pdf
> > 
> > I've entered the data for this request into the CA Community in SalesForce.
> > 
> > Please review the attached document to ensure it is correct and complete,
> > and provide corrections by posting comments in this bug.
> > 
> > Note: I need to do the revocation test, but the
> > http://certificate.revocationcheck.com/ website is currently down.
> 
> Tested, but errors returned:
> http://ocspssls1.kamusm.gov.tr (GET)
> http://ocspsslkoks1.kamusm.gov.tr (GET)
> OCSP service returned 'Malformed'
> 
> Server Software: KSM OCSP Server/1.0
>     ThisUpdate not set (RFC 5019, section 6.2)
>     NextUpdate not set (RFC 5019, section 2.2.4)

We get "ThisUpdate and NextUpdate not set" error for HTTP GET requests because currently we just respond to POST requests and will fix it immediately but as I realized, for also POST requests we get "NextUpdate not set" error. According to CAB Forum BR section 4.9.9, "OCSP responses MUST conform to RFC2560 and/or RFC5019" and we conform to RFC 2560. Therefore we do not include nextUpdate field for indicating that "newer revocation information is available all the time" as stated in section 2.4 of RFC 2560.

So, is it enough to respond HTTP GET requests and be conformant to RFC 2560?
(In reply to Tamer ERGUN from comment #11)
> So, is it enough to respond HTTP GET requests and be conformant to RFC 2560?

You are correct. According to rfc6960 the nextUpdate value is optional, but according to rfc5019 (OCSP Profile for High-Volume Environments) it's required. The revocationcheck site is tuned CA's for high volume environments. 
I will make a note that this is OK.

Please update this bug when the other errors are resolved.
Also...

(In reply to Kathleen Wilson from comment #7)
> (In reply to Tuğba ÖZCAN from comment #6)
> > You can find English CP and CPS document in address: 
> > 
> > http://depo.kamusm.gov.tr/ilke/KamuSM_CPS/KamuSM_CPS_En.pdf
> 
> Please provide the URL to the corresponding CP/CPS document in Turkish.
> (It's not clear to me which document the English translation is from.)
Also, Kamu SM has not responded to the March 2016 CA Communication:
https://wiki.mozilla.org/CA:Communications#March_2016
Hi Kathleen ,

We are sorry to late for survey, today we responded to the March 2016 CA Communication.

Thanks a lot.
Here is the URL to the corresponding CP/CPS document in Turkish:

http://depo.kamusm.gov.tr/ilke/KamuSM_CPS/KamuSM_CPS_Tr.pdf 

Thanks
(In reply to Kathleen Wilson from comment #13)
> Also...
> 
> (In reply to Kathleen Wilson from comment #7)
> > (In reply to Tuğba ÖZCAN from comment #6)
> > > You can find English CP and CPS document in address: 
> > > 
> > > http://depo.kamusm.gov.tr/ilke/KamuSM_CPS/KamuSM_CPS_En.pdf
> > 
> > Please provide the URL to the corresponding CP/CPS document in Turkish.
> > (It's not clear to me which document the English translation is from.)


Hi Kathleen,

We have fixed the error for HTTP GET requests,and tested it. Now, it seems OK. 

Thanks
Posted file 1262809-CAInformation-Complete.pdf (obsolete) —
This request has been added to the queue for public discussion.
https://wiki.mozilla.org/CA:Schedule#Queue_for_Public_Discussion
I will update this bug when I start the discussion.
Whiteboard: Ready for Public Discussion
Hi Kathleen,

I want to ask how much longer we wait for discussion? As we know,max duration in the queue is 2 months but we are waiting since May. So, we hesitated. Is there a problem about our application?

Thanks a lot.
Please let me know where you got the impression that the *maximum* duration in the queue is 2 months, so I can fix that. The timing is dependent on the other CA requests that are in the queue ahead of yours, and how promptly people are reviewing and commenting in the discussions.

If you are not following the mozilla.dev.security.policy forum, then I recommend that you begin doing so.
https://groups.google.com/d/msg/mozilla.dev.security.policy

Also, it is a good idea to see what is requested of the CAs who are currently in the public discussion phase.
I checked now, As I read before from https://wiki.mozilla.org/CA:How_to_apply, in Timeline part, Queue for Public Discussion 1 month and 2 months respectively, I got it as minumum and maximum cases. But now, I checked again and see those are best and typical cases. 

Also, thank you for your advice, it is a good idea to follow forum page.We will start to catch requests of the current CAs.
I have sent email to the auditor to confirm the authenticity of the audit statement. -- As per Mozilla's process when audit statements are provided by the CA (rather than being posted on the auditor's website or a site like webtrust.org).
I received email from the auditor confirming the authenticity of the attached audit statement, and clarifying:
The roots and subroots audited according to the ETSI TS 102 042 v2.4.1 audit criteria and Baseline Requirements, here:
Root Name: TÜBİTAK UEKAE Kök Sertifika Hizmet Sağlayıcısı - Sürüm 3
SHA-256 Hash Value:e4c73430d7a5b50925df43370a0d216e9a79b9d6db8373a0c69eb1cc31c7c52a
                Sub Root Name:Cihaz Sertifikası Hizmet Sağlayıcısı - Sürüm 4
                SHA-256 Hash Value: 51d849fc27c5b3115bf056751b0c6afb4b2999e644c7bb2082a0b98d9058e28d
Root Name: TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1
SHA-256 Hash Value: 46edc3689046d53a453fb3104ab80dcaec658b2660ea1629dd7e867990648716
                Sub Root Name:     TUBITAK Kamu SM SSL Sertifika Hizmet Saglayicisi - Surum 1
                SHA-256 Hash Value: 4571659aaf715c13ee703e3643dfcbaeee2d82110ca68eb57cb67ce0

... the audit period was 19.12.2015 – 19.12.2016.
Attachment #8755609 - Attachment is obsolete: true
I am now opening the public discussion period for this request from Kamu Sertifikasyon Merkezi (Kamu SM) to included the "TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1" root certificate and enable the Websites trust bit.

For a description of the public discussion phase, see https://wiki.mozilla.org/CA:How_to_apply#Public_discussion

Public discussion will be in the mozilla.dev.security.policy forum.
https://groups.google.com/d/msg/mozilla.dev.security.policy/vjXyml8Hy-E/5JUs8e3YDAAJ

The discussion thread is called "Include Renewed Kamu SM root certificate".

Please actively review, respond, and contribute to the discussion.

A representative of this CA must promptly respond directly in the discussion thread to all questions that are posted.
Whiteboard: Ready for Public Discussion → In Public Discussion
We have created Test Website - Expired and Test Website Revoked for this new root. You can find in theese addresses:

Revoked: 

https://testsslrevoked.kamusm.gov.tr/ 

Expired:

https://testsslexpired.kamusm.gov.tr/
Hi Kathleen,

Our updated CP/CPS documents in Turkish and in English are now in our web page. Here are the related links:


http://depo.kamusm.gov.tr/ilke/KamuSM_CPS/KamuSM_CPS_En.pdf  

http://depo.kamusm.gov.tr/ilke/KamuSM_CPS/KamuSM_CPS_Tr.pdf 


Also I am adding last versions to this bug. 


Thanks a lot.
The public comment period for this request is now over.

This request has been evaluated as per Mozilla’s CA Certificate Policy at

https://www.mozilla.org/about/governance/policies/security-group/certs/policy/

Here follows a summary of the assessment. If anyone sees any factual errors, please point them out.

* Inclusion Policy Section 4 [Technical]. 
I am not aware of instances where the Government of Turkey, Kamu Sertifikasyon Merkezi (Kamu SM) has knowingly issued certificates for fraudulent use. If anyone knows of any such issues or instances, please note them in this bug.

* Inclusion Policy Section 6 [Relevance and Policy].	 
Kamu SM appears to provide a service relevant to Mozilla users. Kamu SM is a government-owned Certificate Authority in Turkey operated in compliance with the international standards.

Note that the CA has indicated that Mozilla may constrain this root cert to the following TLDs:
gov.tr, k12.tr, pol.tr, mil.tr, tsk.tr, kep.tr, bel.tr, edu.tr and org.tr 
As a government CA that only issues certificates to government-owned domains (restricted to the TLDs listed above), Kamu SM does not issue any certificates outside of Turkey.  

Root Certificate Name: TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1
O From Issuer Field: Turkiye Bilimsel ve Teknolojik Arastirma Kurumu - TUBITAK
Trust Bits: Websites
EV Policy OID: Not EV
Root Certificate Download URL: 
https://bugzilla.mozilla.org/attachment.cgi?id=8738995
http://depo.kamusm.gov.tr/ssl/SSLKOKSM.S1.cer

Certificate Hierarchy
This root certificate has internally operated subordinate CAs that issue SSL end-entity certificates. 

Certificate Revocation
CRL URLs: 
http://depo.kamusm.gov.tr/ssl/SSLSIL.S1.crl
http://depo.kamusm.gov.tr/ssl/SSLKOKSIL.S1.crl
SSL CP/CPS Section 4.9.7: CRL for end-entity certs is valid for maximum of 36 hours.
OCSP URLs: 
http://ocspssls1.kamusm.gov.tr
http://ocspsslkoks1.kamusm.gov.tr

* The primary document, the SSL CP/CPS, is provided in both Turkish and English. 
Document Repository: http://depo.kamusm.gov.tr/ilke/
SSL CP/CPS:
http://depo.kamusm.gov.tr/ilke/KamuSM_CPS/KamuSM_CPS_Tr.pdf
http://depo.kamusm.gov.tr/ilke/KamuSM_CPS/KamuSM_CPS_En.pdf

* Inclusion Policy Section 7 [Validation] 
Kamu SM appears to meet the minimum requirements for subscriber verification, as follows:

** SSL Verification Procedures: According to section 3.2.2 of the SSL CPS, Kamu SM verifies the domain name by checking nic.tr (the domain name registrar in Turkey), communicating directly with the Domain Name Registrant using an email or telephone number provided by nic.tr, and requesting and verifying an agreed-upon change to information found on an online web page identified by a uniform resource identifier containing the full domain name.

** Email Verification Procedures: Not requesting the Email trust bit

* Audit: Annual audits are performed by Information and Communications Technologies Authority (ICTA) according to the ETSI TS 102 042 v2.4.1 criteria.
Audit Statement: https://bug1262809.bmoattachments.org/attachment.cgi?id=8819839
I received email from the auditor confirming the authenticity of the audit statement.
Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=1262809#c25

* Potentially Problematic Practices: None Noted
(http://wiki.mozilla.org/CA:Problematic_Practices) 

Based on this assessment I intend to approve this request from Kamu SM to include the "TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1" root certificate, and enable the Websites trust bit.
Severity: major → enhancement
Whiteboard: In Public Discussion → Pending Approval
As per the summary in Comment #33, and on behalf of Mozilla I approve this request from the Government of Turkey, Kamu Sertifikasyon Merkezi (Kamu SM) to include the following root certificate:

** "TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1" (Websites)

I will file the NSS bug for the approved change to include this root cert and constrain it to the following TLDs:
gov.tr, k12.tr, pol.tr, mil.tr, tsk.tr, kep.tr, bel.tr, edu.tr and org.tr
Whiteboard: Pending Approval → [ca-approved] Pending NSS changes
Depends on: 1349705
I have filed bug #1349705 against NSS for the actual change.
Whiteboard: [ca-approved] Pending NSS changes → [ca-approved] Pending NSS changes - Constrain to *.gov.tr, *.k12.tr, etc.
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Whiteboard: [ca-approved] Pending NSS changes - Constrain to *.gov.tr, *.k12.tr, etc. → Added in NSS 3.30.2, Firefox 54 and NSS 3.28.5, ESR 52.2. Constrained to *.gov.tr, *.k12.tr, etc.
Product: mozilla.org → NSS
Our audit report which is valid to 30.11.2020 (Next full audit will have been performed on 30.11.2019).
Our audit report (signed by auditor representative) which is valid to 30.11.2020 (Next full audit will have been performed on 30.11.2019).
Our eIDAS certificate which is valid to 30.11.2020 (Next full audit will have been performed on 30.11.2019).
Our eIDAS certificate (signed by auditor representative) which is valid to 30.11.2020 (Next full audit will have been performed on 30.11.2019).
Posted file AuditReportandCertificate.zip (obsolete) —
All audit documents for download and CCADB Case.
Attachment #9029921 - Attachment is obsolete: true
Attachment #9029923 - Attachment is obsolete: true
Attachment #9029927 - Attachment is obsolete: true
Our audit report which is valid to 30.11.2020 (Next full audit will have been performed on 30.11.2019)
Our audit report (signed by auditor representative) which is valid to 30.11.2020 (Next full audit will have been performed on 30.11.2019).
You need to log in before you can comment on or make changes to this bug.