Closed Bug 1439127 Opened 7 years ago Closed 6 years ago

TurkTrust: Failure to respond to January 2018 survey

Categories

(CA Program :: CA Certificate Compliance, task)

Product:
CA Program
Component:
CA Certificate Compliance
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: wthayer, Assigned: atilla.biler)

Details

(Whiteboard: [ca-compliance] [disclosure-failure]) 

The deadline for response to the January 2018 CA Communication survey was February 9. TurkTrust has not responded as of February 16.

Please respond to this incident with the following information:
1. Why was no response received from your organization?
2. Confirm that the CA email alias in CCADB is correct for your organization.
3. Explain why your monitoring of the mozilla.dev.security.policy list (a requirement of Mozilla policy section 2.1), did not result in your organization responding to this survey.
3. Explain what changes will be made to ensure that future actions requested of your organization by Mozilla occur promptly and no later than any communicated deadline.
Assignee: wthayer → atilla.biler
Whiteboard: [ca-compliance]
Our answers, as TURKTRUST, to the questions above are as follows:

1.	Why was no response received from your organization?

We had been passing through a strategic reorganization about the future SSL business activities of TURKTRUST lately. As it is very well known by all SSL stakeholders including CA/Browser Forum members, our new roots had been accepted by all browser root stores except Apple Root Certificate Program. After our previous roots had completed their lifetime, we hadn’t been able to maintain recognition of our SSL certificates throughout Apple devices including the ones using iOS and macOS systems. Hence, we had temporarily suspended our SSL activities during late 2016. An announcement about this suspension was made to the CA/Browser Forum members and management at that date. We used formal communication channels to reach the related Apple Turkey and Apple US representatives, but found a real difficulty in reaching the right persons or getting a feedback from Apple Root Certificate Program in anyway. Nevertheless, we haven’t got any improvements about the solution of this case on the Apple side since then. 

Hence, we have made a strategic decision as of 2018 recently. This is the main reason for our delayed response to Mozilla inquiries.
 
The strategic decision mentioned above is actually suspending all SSL business supporting activities that incur direct costs for TURKTRUST, including suspending the ETSI and BR audits or OV and EV SSL related insurance policies. We have also ceased our investment and studies on CT and CAA requirements for the time being that are actually mandatory criteria set by the CA/Browser Forum. This situation will continue until we achieve positive improvements on the Apple side. 
 
In the meantime, we will continue our CA business and activities apart from SSL, namely for secure electronic signature and qualified electronic certificate services compliant to Turkish and EU legislation. This means we will be under continuous audits of our government regulatory and assessment body ICTA (Information and Communication Technologies Authority of Turkey) concerning our CA services except SSL. We will also maintain the mandatory insurance necessary for our qualified electronic certificate services according to our own legislation.

2.	Confirm that the CA email alias in CCADB is correct for your organization.

We confirm here that the CA email alias in CCADB is correct for our organization.

3.	Explain why your monitoring of the mozilla.dev.security.policy list (a requirement of Mozilla policy section 2.1), did not result in your organization responding to this survey.

Response to the specified survey was delayed due to the reasons stated above.

4.	Explain what changes will be made to ensure that future actions requested of your organization by Mozilla occur promptly and no later than any communicated deadline.

We will be monitoring the mozilla.dev.security.policy list and following all Mozilla policies as before and we will continue to take any required future actions promptly.
Initiated discussion for removal of the TURKTRUST root on the mozilla.dev.security.policy forum.
The discussion reached agreement that this root should be removed. A bug will be filed for that action.

https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/Wze3b0kKPpU
I have filed Bug #1448506 to remove the TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H5 root cert.
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Product: NSS → CA Program
Whiteboard: [ca-compliance] → [ca-compliance] [disclosure-failure]
You need to log in before you can comment on or make changes to this bug.