Closed Bug 433845 Opened 13 years ago Closed 7 years ago

Add TÜRKTRUST Root CA

Categories

(NSS :: CA Certificate Root Program, task)

x86
Windows XP
task
Not set
normal

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: mert.ozarar, Assigned: kwilson)

References

Details

(Whiteboard: In NSS 3.15, Firefox 23, EV in Firefox 26)

Attachments

(10 files, 1 obsolete file)

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915 Firefox/1.0.7
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915 Firefox/1.0.7

We have already produced and  declared a new root hierarchy and we obviously want to add this third hierarchy to Mozilla store as well. Notice that with the update 2.0.13, the previous two root certificates of TÜRKTRUST had already been included to the trusted CA list. Related bug report can be reached with bug number 380635.

Reproducible: Always

Steps to Reproduce:
1.
2.
3.


Expected Results:  
The new root hierarchy should be included to Mozilla Root CA Store as included previously.
Assignee: nobody → hecker
Component: Security → CA Certificates
Product: Firefox → mozilla.org
QA Contact: firefox → ca-certificates
Version: unspecified → other
I confirm this is an enhancement request.
Group: security
Severity: critical → enhancement
Status: UNCONFIRMED → NEW
Ever confirmed: true
Dear Frank,

* A copy of the new root CA certificate has been attached to the report.
* The related information on what subordinate CAs exist under this
root can be accessed through the "TURKTRUST Root Hierarchy - III" image file. All of those subordinate CAs will be operated and controlled by TURKTRUST.
* The qualified electronic certificates (suitable with Turkish Electronic Signature Law) are the only type of end entity certificates that will be issued under this new root's hierarchy.
* The related CPS (English version) is also attached associated with this root.
* This new root will be incorporated in our CA audit same as the previous ones. Same measures, same audit, in short exactly same as those previous two roots.

Best regards,

Mert ÖZARAR
TURKTRUST Representative
Summary: New Root Hierarchy for TÜRKTRUST Certification Authority → Add more TÜRKTRUST Root CAs
Attachment #322069 - Attachment is patch: false
Attachment #322069 - Attachment mime type: text/plain → image/jpeg
Attachment #322073 - Attachment description: CPS associated with the new root → CPS associated with the new root (MSWord document)
Attachment #322073 - Attachment is patch: false
Attachment #322073 - Attachment mime type: text/plain → application/octet-stream
Attachment #321914 - Attachment is patch: false
Attachment #321914 - Attachment mime type: text/plain → application/x-x509-ca-cert
Attachment #322073 - Attachment mime type: application/octet-stream → application/msword
Accepting this bug so I can proceed with the information gathering and verification phase.
Assignee: hecker → kathleen95014
Status: NEW → ASSIGNED
Attached is the initial information gathering document which summarizes the information that has been gathered and verified for this request. Please review the document and let me know if you would like to make further clarifications or corrections. The items highlighted in yellow in the attached document indicate the information that is still needed.  I will summarize below:

1) It looks like only the email trust bit needs to be enabled for this root. Please confirm or correct.
As you know, you can enable one or more of the trust bits:
Websites (SSL/TLS)
Email (S/MIME)
Code (Code Signing)

2) For testing purposes, please provide a sample certificate chaining up to this root.

3) Please provide a recent audit report that satisfies sections 8, 9, and 10 of http://www.mozilla.org/projects/security/certs/policy/

Thanks,
Kathleen
Whiteboard: information incomplete
There has been no activity in this bug for over a year.

Is this request obsolete?
Closing bug due to no recent response from CA.
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → INCOMPLETE
Re-opening per request from the CA. This request is still valid, and the CA will respond soon.
Status: RESOLVED → REOPENED
Resolution: INCOMPLETE → ---
Status: REOPENED → ASSIGNED
I have reviewed the initial Information Gathering Document and the needed answers to the items highlighted in yellow are as follows:

1. All of the trust bits 
- Websites (SSL/TLS)
- Email (S/MIME)
- Code (Code Signing)
can be enabled for this root hierarchy.

2. A sample certificate chaining up to this root has been uploaded to the attachments with the file name "SampleCertificate.cer" in DER-encoded form.

3. The most recent audit report has also been uploaded to the attachments with the file name "turktrust9.gif".

Warmest regards,

Mert ÖZARAR
TURKTRUST Representative
Thank you for the information. I would like to request some more information.

1) Please explain the relation between this root and the other TURKTRUST roots currently included in NSS.

2) Since you want to enable the websites trust bit for this root, please provide a url to a website whose SSL cert chains up to this root. (may be a test website)

3) Please provide updated information about the sub-CAs under this root. How many sub-CAs are signed by this root, what are they, what do they sign? Are any (or will any) sub-CAs be operated by third parties? Has (or will) this root been involved in cross-signing with another root?

4) Please review the http://wiki.mozilla.org/CA:Problematic_Practices wiki page and provide further information about the items that are relevant.
Here are the answers, sorry for the late reply:

1. This root stands in a horizontal hierarchy  with others. The main aim of this root is to issue certificates for Mobile PKI (i.e. mobile signatures).

2. https://destek.turktrust.com.tr 

3. 
 i. QEC Sub Root
 ii. SSL Sub Root
 iii. OCSP Responder Certificate
 iv. Time Stamping Certificate

4. Understood, shall revert if necessary.

What will be our next step?

Warmest regards,

Mert ÖZARAR
TURKTRUST Representative
Thank you for the clarification.

In regards to the test website: https://destek.turktrust.com.tr/
When I enforce OCSP in my Firefox browser and try to load this website, I get the error:
Invalid OCSP signing certificate in OCSP response.
(Error code: sec_error_ocsp_invalid_signing_cert)
Please see: https://wiki.mozilla.org/CA:Problematic_Practices#OCSP_Responses_signed_by_a_certificate_under_a_different_root

> What will be our next step?
After the information gathering and verification step is completed, the next step is the queue for public discussion: 
https://wiki.mozilla.org/CA:How_to_apply#Timeline
Summary: Add more TÜRKTRUST Root CAs → Add TÜRKTRUST Root CA
Thanks Kate for the remark, we have solved the error. Please check it out.

Looking forward to taking a position in the queue.

(In reply to comment #16)
> Thank you for the clarification.
> 
> In regards to the test website: https://destek.turktrust.com.tr/
> When I enforce OCSP in my Firefox browser and try to load this website, I get
> the error:
> Invalid OCSP signing certificate in OCSP response.
> (Error code: sec_error_ocsp_invalid_signing_cert)
> Please see:
> https://wiki.mozilla.org/CA:Problematic_Practices#OCSP_Responses_signed_by_a_certificate_under_a_different_root
> 
> > What will be our next step?
> After the information gathering and verification step is completed, the next
> step is the queue for public discussion: 
> https://wiki.mozilla.org/CA:How_to_apply#Timeline
I just tried a few times, and it still fails for me. Maybe I need to wait for the changes to get propagated to the servers?
I just tried connecting to https://destek.turktrust.com.tr/ again, and I get the error:
An error occurred during a connection to destek.turktrust.com.tr.
Invalid OCSP signing certificate in OCSP response.
(Error code: sec_error_ocsp_invalid_signing_cert)

If I turn off enforcement of OCSP in my Firefox browser the page loads.

Note that when I turn enforcement of OCSP back on, I clear the history in my browser. Then I get the error when I try to access the website again.
Attached file Completed CA Information Document (obsolete) —
This request has been added to the queue for public discussion:
https://wiki.mozilla.org/CA:Schedule#Queue_for_Public_Discussion

Now that you have a request in the Queue for Public Discussion, you are
directly impacted by the time it takes to work through the queue. The goal is
to have each discussion take about two weeks. However, that time varies
dramatically depending on the number of reviewers contributing to the
discussion, and the types of concerns that are raised. If no one reviews and
contributes to a discussion, then a request may be in the discussion for
several weeks. When there are not enough people contributing to the discussions
ahead of yours, then your request will sit in the queue longer.

How can you help reduce the time that your request sits in the queue?

You can help by reviewing and providing your feedback in the public discussions
of root inclusion requests, or by asking a knowledgeable colleague to do so.

Participating in other discussions is a great way to learn the expectations and
be prepared for the discussion of your request.

Please see: https://wiki.mozilla.org/CA:How_to_apply#Public_discussion
Whiteboard: information incomplete → Information confirmed complete
This request is also to EV-enable this root, as per bug #715136.
Whiteboard: Information confirmed complete → EV - Information confirmed complete
Duplicate of this bug: 715136
I am reviewing my notes for this request.  Please...

1) Provide a test website whose EV SSL cert chains up to this root.

2) Perform the EV testing as described here 
https://wiki.mozilla.org/PSM:EV_Testing_Easy_Version
(this item will not hold up discussion, but will be needed before I can file the PSM bug)

3) Provide more recent audit statements or an estimate of when they will be available.
The ones I have are:
http://www.btk.gov.tr/bilgi_teknolojileri/elektronik_imza/TURKTRUST_LETTER_2011.pdf (2011.10.17)
https://bugzilla.mozilla.org/attachment.cgi?id=585759  (2011.12.20)

4) In regards to http://wiki.mozilla.org/CA:Problematic_Practices
Does TurkTrust issue certs referencing hostnames or private IP addresses or issue SSL certs for internal domains?
(In reply to Kathleen Wilson from comment #24)
> 3) Provide more recent audit statements or an estimate of when they will be
> available.
> The ones I have are:
> http://www.btk.gov.tr/bilgi_teknolojileri/elektronik_imza/
> TURKTRUST_LETTER_2011.pdf (2011.10.17)
> https://bugzilla.mozilla.org/attachment.cgi?id=585759  (2011.12.20)


Ooops! Please ignore #3.
The following statements in the CPS seem to contradict each other:

* CPS section 3.2.2.1, QEC, SSL or OSC: The e-mail address submitted by the authorized person who conducts the application operations on behalf of the subscriber should be verified. This verification is done with a unique user name and activation code sent to the authorized person’s e-mail address.

* CPS section 3.2.4: The e-mail addresses in QEC applications are accepted upon the declaration of the applicant and contained in the certificate without further verification.
The Turkish version of the CPS is correct yet there has been a mistake during English translation most probably (copy/paste mistake). You can find the corrected version of our latest CPS where in 3.2.2.1;
"For SSL and OSC applications, the e-mail address submitted by the authorized person
who conducts the application operations on behalf of the subscriber should be verified. This verification is done with a unique user name and activation code sent to the authorized person’s e-mail address."

* QEC has been cancelled out in the translated text.

Thanks for warning,

Regards,

Mert
The answers to the questions are as follows:

1. https://evssl.turktrust.com.tr

2. We have passed through the given URL (https://wiki.mozilla.org/PSM:EV_Testing_Easy_Version).
It says:
"We are willing to help you produce those technical representation. If you have started the formal process to request being added to the Mozilla root store, and have attached your root to a bugzilla bug, you may ask us to produce it for you."

Could you please provide us this text file? We have done the previous steps.

4. Simply, does not.

Mert
Is this request to turn on all three trust bits? 
1) Websites (SSL/TLS)
2) Email (S/MIME)
3) Code (Code Signing)

Please see item #7 of
http://www.mozilla.org/projects/security/certs/policy/InclusionPolicy.html

I am not finding the text in the CP/CPS that satisfies this: 
"for a certificate to be used for digitally signing or encrypting email messages, the CA takes reasonable measures to verify that the entity submitting the request controls the email account associated with the email address referenced in the certificate or has been authorized by the email account holder to act on the account holder's behalf;"

Therefore, I think that this request should be to turn on the websites and code signing trust bits, but not the email trust bit.
(In reply to Mert Özarar from comment #29)
> 
> 1. https://evssl.turktrust.com.tr

I imported the root cert into my browser, but I get the following error when I try to browse to this website when I have OCSP set to hard fail when the OCSP server connection fails. When I un-check the box to hard fail when OCSP fails, then I am able to browse to the website.

Please see https://wiki.mozilla.org/CA:Recommended_Practices#OCSP

The signer of the OCSP response is not authorized to give status for this certificate.
(Error code: sec_error_ocsp_unauthorized_response)
(In reply to Mert Özarar from comment #29)
> 
> 2. We have passed through the given URL
> (https://wiki.mozilla.org/PSM:EV_Testing_Easy_Version).
> It says:
> "We are willing to help you produce those technical representation. If you
> have started the formal process to request being added to the Mozilla root
> store, and have attached your root to a bugzilla bug, you may ask us to
> produce it for you."
> 
> Could you please provide us this text file? We have done the previous steps.
> 

I have sent email to Kai asking him to create the file. Note that this just needs to be done before I create the PSM bug. The discussion and approval phase may proceed after Comment #30 and Comment #31 are resolved.
What may your OCSP response maximum expiration time be set to?

CA/Browser Forum's EV Guidelines Section 26(b): “If the CA provides revocation information via an Online Certificate Status Protocol (OCSP) service, it MUST update that service at least every four days. OCSP responses from this service MUST have a maximum expiration time of ten days.”
(In reply to Kathleen Wilson from comment #30)
> Is this request to turn on all three trust bits? 
> 1) Websites (SSL/TLS)
> 2) Email (S/MIME)
> 3) Code (Code Signing)
> 
> Please see item #7 of
> http://www.mozilla.org/projects/security/certs/policy/InclusionPolicy.html
> 
> I am not finding the text in the CP/CPS that satisfies this: 
> "for a certificate to be used for digitally signing or encrypting email
> messages, the CA takes reasonable measures to verify that the entity
> submitting the request controls the email account associated with the email
> address referenced in the certificate or has been authorized by the email
> account holder to act on the account holder's behalf;"
> 
> Therefore, I think that this request should be to turn on the websites and
> code signing trust bits, but not the email trust bit.

Obviously, those two trust bits should be turned on.
(In reply to Mert Özarar from comment #34)
> > 
> > Therefore, I think that this request should be to turn on the websites and
> > code signing trust bits, but not the email trust bit.
> 
> Obviously, those two trust bits should be turned on.


OK. I will update my notes to indicate that this request is to turn on the websites and code signing trust bits, and not the email trust bit.

I am getting intermittent errors with the test website https://evssl.turktrust.com.tr/
Sometimes I'm able to browse to this site without error, and other times I get the
error:
An error occurred during a connection to evssl.turktrust.com.tr.
The signer of the OCSP response is not authorized to give status for this certificate.
(Error code: sec_error_ocsp_unauthorized_response)

Right now the behavior is that if I copy-paste the url (https://evssl.turktrust.com.tr/), I browse to it without error. Then if I do a Reload, I get the error.
It is an interesting case, what kind of responses do you get? Could you please share them with us? We've checked out our responder yet could not find a concrete misconfiguration. We need your help to fix the case.



(In reply to Kathleen Wilson from comment #35)
> (In reply to Mert Özarar from comment #34)
> > > 
> > > Therefore, I think that this request should be to turn on the websites and
> > > code signing trust bits, but not the email trust bit.
> > 
> > Obviously, those two trust bits should be turned on.
> 
> 
> OK. I will update my notes to indicate that this request is to turn on the
> websites and code signing trust bits, and not the email trust bit.
> 
> I am getting intermittent errors with the test website
> https://evssl.turktrust.com.tr/
> Sometimes I'm able to browse to this site without error, and other times I
> get the
> error:
> An error occurred during a connection to evssl.turktrust.com.tr.
> The signer of the OCSP response is not authorized to give status for this
> certificate.
> (Error code: sec_error_ocsp_unauthorized_response)
> 
> Right now the behavior is that if I copy-paste the url
> (https://evssl.turktrust.com.tr/), I browse to it without error. Then if I
> do a Reload, I get the error.
(In reply to Kathleen Wilson from comment #35)
> I am getting intermittent errors with the test website
> https://evssl.turktrust.com.tr/
>

I just tried again several times and got the following error:

An error occurred during a connection to evssl.turktrust.com.tr.
The signer of the OCSP response is not authorized to give status for this certificate.
(Error code: sec_error_ocsp_unauthorized_response)

I have manually imported this root:
http://www.turktrust.com.tr/sertifikalar/TURKTRUST_Elektronik_Sertifika_Hizmet_Saglayicisi_s3.crt
Please use a fresh cert8.db to test:
https://wiki.mozilla.org/CA:UserCertDB#How_To_Restore_Default_Root_Certificate_Settings

Then import the new root (let me know if the url I've been using is wrong), and turn on the websites trust bit.

Then browse to https://evssl.turktrust.com.tr/
(In reply to Mert Özarar from comment #29)
> 
> 2. We have passed through the given URL
> (https://wiki.mozilla.org/PSM:EV_Testing_Easy_Version).
> It says:
> "We are willing to help you produce those technical representation. If you
> have started the formal process to request being added to the Mozilla root
> store, and have attached your root to a bugzilla bug, you may ask us to
> produce it for you."
> 
> Could you please provide us this text file?

Please see the attached file. I used the certifiate identified by the SHA1 fingerprint contained in the file.
I have tried the same scenario with cert8.db yet no problem occured on my browser. Please check out my last comment (number 40) about the subject.

(In reply to Kathleen Wilson from comment #37)
> (In reply to Kathleen Wilson from comment #35)
> > I am getting intermittent errors with the test website
> > https://evssl.turktrust.com.tr/
> >
> 
> I just tried again several times and got the following error:
> 
> An error occurred during a connection to evssl.turktrust.com.tr.
> The signer of the OCSP response is not authorized to give status for this
> certificate.
> (Error code: sec_error_ocsp_unauthorized_response)
> 
> I have manually imported this root:
> http://www.turktrust.com.tr/sertifikalar/
> TURKTRUST_Elektronik_Sertifika_Hizmet_Saglayicisi_s3.crt
The current certificate hierarchy regarding the EV-SSL certificates and the OCSP responses is as follows:

At the top, we have the self signed root with CN = "TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı" and issue date 25.12.2007.

Signed by the root, we have the EV-SSL Subroot with CN = "TÜRKTRUST EV SSL Sunucu Sertifikası Hizmetleri H3 - Sürüm 2" and issue date 25.01.2012.

Signed by the root, we also have the OCSP Responder certificate with CN = "TÜRKTRUST OCSP - Sertifika Durum Protokolü Hizmetleri" and issue date 28.09.2011.

Our EV-SSL certificates are signed by the EV-SL Subroot.

So, the OCSP responses for the EV-SSL certificates are signed by "their parent's sibling" within the same hierarchy.

Do the controls obligate that the responses to be signed by "their own sibling"? But how about the successful connections then?
Well, I've confirmed that the problem has something to do with OCSP -- I turned off OCSP hard fail, and I was able to successfully browse to https://evssl.turktrust.com.tr/. The intermediate cert was successfully loaded, etc.

Then I turned OCSP hard fail back on, and forced the page to reload and I got the sec_error_ocsp_unauthorized_response error again.

Please make sure you turn on OCSP hard fail to test:
https://wiki.mozilla.org/CA:Recommended_Practices#OCSP

Please also note that Kai has provided the test-ev-root in Comment #39, so that you can perform the EV Testing: https://wiki.mozilla.org/PSM:EV_Testing_Easy_Version

However, for this test to succeed, OCSP will have to work.
https://wiki.mozilla.org/CA:EV_Revocation_Checking
The test website, https://evssl.turktrust.com.tr/, is working for me now -- I have OCSP enforced and am able to browse to the site without error.
Attachment #555249 - Attachment is obsolete: true
I am now opening the first public discussion period for this request from TÜRKTRUST to add the “TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı” root certificate, turn on the websites and code signing trust bits, and enable EV.

For a description of the public discussion phase, see https://wiki.mozilla.org/CA:How_to_apply#Public_discussion

Public discussion will be in the mozilla.dev.security.policy newsgroup and the corresponding dev-security-policy@lists.mozilla.org mailing list.

http://www.mozilla.org/community/developer-forums.html
https://lists.mozilla.org/listinfo/dev-security-policy
news://news.mozilla.org/mozilla.dev.security.policy

The discussion thread is called “TURKTRUST Additional Root Inclusion Request”

Please actively review, respond, and contribute to the discussion.

A representative of TÜRKTRUST must promptly respond directly in the discussion thread to all questions that are posted.
Whiteboard: EV - Information confirmed complete → EV - In public discussion
Thanks Kate once again.

I'm ready (as a representative) to respond directly.

Regards,

Mert
The public comment period for this request is now over. 

This request has been evaluated as per Mozilla’s CA Certificate Policy at

 http://www.mozilla.org/projects/security/certs/policy/

Here follows a summary of the assessment. If anyone sees any factual errors, please point them out.

To summarize, this assessment is for the request to add the “TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı” root certificate, turn on the websites and code signing trust bits, and enable EV.

Section 4 [Technical]. I am not aware of instances where TÜRKTRUST has knowingly issued certificates for fraudulent use. If anyone knows of any such issues or instances, please note them in this bug report.

Section 6 [Relevancy and Policy]. TÜRKTRUST appears to provide a service relevant to Mozilla users; it is a commercial CA operating in the Republic of Turkey. 

Policies are documented in the documents published on their website and listed in the entry on the pending applications list; the main documents of interest are the CP and CPS, which are provided in English.


Document Repository: http://www.turktrust.com.tr/en/bilgideposu.html
CP: http://www.turktrust.com.tr/en/files/bilgidepo/TURKTRUST_CP_V-05_%5BEN%5D_(01.11.2011).pdf
CPS: https://bugzilla.mozilla.org/attachment.cgi?id=612540

Section 7 [Validation]. TÜRKTRUST appears to meet the minimum requirements for subscriber verification, as follows:

* Email: Not applicable, not requesting the email trust bit.

* SSL: As per section 3.2 of the CPS, TÜRKTRUST uses an email challenge-response mechanism to confirm the ownership/control of the domain name. For certificates issued to organizations, TÜRKTRUST also validates the organization’s identity, the identity of the organization's representative and his or her authorization to request the certificate.

* Code:  As per section 3.2 of the CPS, object signing certificates are issued to organizations for which TÜRKTRUST has verified the organization’s identity, the identity of the organization's representative and his or her authorization to request the certificate.

Section 15 [Certificate Hierarchy]. 
This is an offline root with internally-operated subordinate CAs which sign end-entity certificates. 

* Both CRL and OCSP are provided 
http://ocsp.turktrust.com.tr
http://www.turktrust.com.tr/sil/TURKTRUST_Kok_SIL_s3.crl
http://www.turktrust.com.tr/sil/TURKTRUST_SSL_SIL_s3.crl
http://www.turktrust.com.tr/sil/TURKTRUST_EV_SSL_H3_S2.crl
CPS Section 4.10.1: TURKTRUST publishes CRL twice a day within 12 (twelve) hour intervals with a validity period of 24 (twentyfour) hours even if there is no change in the status of certificates.

Sections 9-11 [Audit]. Audits are performed by the Turkish Information and Communication Technologies Authority (ICTA) and the BSI Group The Netherlands B.V. according to the ETSI TS 101 456 and ETSI TS 102 042 - SSL NCP & EV-CP criteria. TURKTRUST is listed as an Electronic Certificate Service Provider and a statement from ICTA is provided here: http://www.btk.gov.tr/bilgi_teknolojileri/elektronik_imza/eshs.php
The ETSI certificate from BSI was attached to the bug,
https://bugzilla.mozilla.org/attachment.cgi?id=585759.
TURKTRUST is also listed as a certified provider on the BSI website, and can be found using “ETS 019” as the Certificate Number:
http://www.bsigroup.com/en/Assessment-and-certification-services/Client-directory/CertificateClient-Directory-Search/

Based on this assessment I intend to approve this request to add the “TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı” root certificate, turn on the websites and code signing trust bits, and enable EV.

Note: Before I create the PSM bug for EV, TURKTRUST needs to confirm completion of the EV Testing as described here:
https://wiki.mozilla.org/PSM:EV_Testing_Easy_Version
Kai provided the test-ev-root file in Comment #39.
Whiteboard: EV - In public discussion → EV - Pending Approval
To the representatives of TURKTRUST: Thank you for your cooperation and your patience.

To all others who have commented on this bug or participated in the public discussion: Thank you for volunteering your time to assist in reviewing this CA request.

As per the summary in Comment #47, and on behalf of Mozilla I approve this request from TURKTRUST to include the following root certificate in Mozilla:

** TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı (websites, code signing), enable EV.

I will file the NSS bug to include the new root cert.

Before I create the PSM bug for EV enablement, TURKTRUST needs to confirm completion of the EV Testing as described here:
https://wiki.mozilla.org/PSM:EV_Testing_Easy_Version
Kai provided the test-ev-root file in Comment #39.
Whiteboard: EV - Pending Approval → EV - Approved - awaiting NSS, CA action to perform EV testing
Depends on: 768547
I have filed bug #768547 against NSS to include the new root. I will file the PSM bug after the EV testing has been completed.
TURKTRUST confirms the completion of the EV Testing as described here:
https://wiki.mozilla.org/PSM:EV_Testing_Easy_Version

You can find the attached snapshot for green bar on the test site.
Depends on: 788321
I have filed bug #768547 against NSS and bug #788321 against PSM for the actual changes.
Whiteboard: EV - Approved - awaiting NSS, CA action to perform EV testing → EV - Approved - awaiting NSS and PSM
Very recently, problems were reported regarding TÜRKTRUST, indicating a lapse in proper operations.  An intermediate certificate was issued in lieu of a subscriber certificate.  

Will the insertion into the NSS database of the certificate addressed in this bug report be put on hold?
Yes, see
https://blog.mozilla.org/security/2013/01/03/revoking-trust-in-two-turktrust-certficates/

However, the certs from bug 380635 seem to remain. This doesn't make much sense.
Depends on: 835538
Status: ASSIGNED → RESOLVED
Closed: 11 years ago7 years ago
Resolution: --- → FIXED
Whiteboard: EV - Approved - awaiting NSS and PSM → In NSS 3.15, Firefox 23, EV in Firefox 26
Product: mozilla.org → NSS
You need to log in before you can comment on or make changes to this bug.