Closed Bug 1367842 Opened 8 years ago Closed 8 years ago

TurkTrust: Non-audited, non-technically-constrained intermediate certs

Categories

(CA Program :: CA Certificate Compliance, task)

Product:
CA Program
Component:
CA Certificate Compliance
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: kathleen.a.wilson, Assigned: atilla.biler)

References

Details

(Whiteboard: [ca-compliance] [disclosure-failure])

The following intermediate certificates, are not audited and are not technically constrained (vie EKU and domain constraints) even though they chain up to a root certificate in Mozilla's root store. 1) https://crt.sh/?id=51161665 commonName: TÜRKTRUST Basit Elektronik Sertifika Hizmetleri H5 SHA-256 Fingerprint: FE:7A:94:57:DE:A7:2D:8E:3F:37:2D:A5:30:52:A4:D8:B2:CE:5C:60:A5:B9:B7:98:88:18:12:8E:76:B9:BD:6D 2) https://crt.sh/?id=12624781 commonName: TÜRKTRUST EV SSL Sertifikası Hizmetleri H5 SHA-256 Fingerprint: 4F:2F:97:47:DD:6E:98:4D:D6:09:4B:D5:C5:7A:BB:E9:76:65:E5:9D:0A:BF:0A:89:1D:87:24:CF:93:B3:91:3D 3) https://crt.sh/?id=51161666 commonName: TÜRKTRUST Nesne İmzalama Sertifikası Hizmetleri H5 SHA-256 Fingerprint: 87:57:27:CD:A5:9B:97:90:1F:E0:0A:32:BD:AA:A6:A9:2D:94:B5:F6:C6:D4:45:AB:3A:12:B6:C7:96:E6:9B:17 Here are the options I am aware of: 1) The CA may include these intermediate certs in the audits of their parent cert. 2) The CA may revoke these intermediate certs. 3) The CA may provide an annual audit statement (from a third-party auditor that meets the requirements listed in Mozilla's CA Cert Policy) saying that these certs have not issued any TLS/SSL certs. 4) Mozilla could add these to OneCRL even though they have not been revoked.(this option might be OK for the first two certs listed above, but would not be good for the H5 cert that is intended for issuing SSL certs)
Assignee: kwilson → atilla.biler
(In reply to Kathleen Wilson from comment #0) > 4) Mozilla could add these to OneCRL even though they have not been > revoked.(this option might be OK for the first two certs listed above, but > would not be good for the H5 cert that is intended for issuing SSL certs) The part in parentheses was wrong. The option of adding these to OneCRL would be OK for these two, since they are not intended for issuing TLS/SSL certs: 1) https://crt.sh/?id=51161665 commonName: TÜRKTRUST Basit Elektronik Sertifika Hizmetleri H5 SHA-256 Fingerprint: FE:7A:94:57:DE:A7:2D:8E:3F:37:2D:A5:30:52:A4:D8:B2:CE:5C:60:A5:B9:B7:98:88:18:12:8E:76:B9:BD:6D 3) https://crt.sh/?id=51161666 commonName: TÜRKTRUST Nesne İmzalama Sertifikası Hizmetleri H5 SHA-256 Fingerprint: 87:57:27:CD:A5:9B:97:90:1F:E0:0A:32:BD:AA:A6:A9:2D:94:B5:F6:C6:D4:45:AB:3A:12:B6:C7:96:E6:9B:17
I have filed Bug #1381863 per the CA's request, to add these three non-audited intermediate certificates to OneCRL, even though they are not revoked.
Depends on: 1381863
Kathleen, Gerv: Bug 13811863 is resolved, which acts as a remediation. It's unclear whether there is any information Mozilla would like with respect to how this came to be or how to resolve this from a process or issuance flow.
Flags: needinfo?(kwilson)
Flags: needinfo?(gerv)
These intermediate certs have been added to OneCRL, and they chain up to a root cert that only has the Websites trust bit enabled. Therefore, there is no further action required by Mozilla regarding this particular issue. Of course, the CA is expected to correctly follow Mozilla's rules regarding intermediate certs (and publicly-disclosed audit statements) for all of their other intermediate certs and new intermediate certs.
Status: NEW → RESOLVED
Closed: 8 years ago
Flags: needinfo?(kwilson)
Resolution: --- → FIXED
Flags: needinfo?(gerv)
Product: NSS → CA Program
Whiteboard: [ca-compliance] → [ca-compliance] [disclosure-failure]
You need to log in before you can comment on or make changes to this bug.