Closed
Bug 826666
Opened 11 years ago
Closed 11 years ago
remove turktrust certificates
Categories
(NSS :: CA Certificates Code, task)
NSS
CA Certificates Code
Tracking
(Not tracked)
RESOLVED
WONTFIX
People
(Reporter: calestyo, Unassigned)
References
()
Details
(Whiteboard: [Discussion on dev.security.policy, not in this bug please])
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20100101 Firefox/17.0 Iceweasel/17.0.1 Build ID: 20121201094343 Actual results: As found out by Google, Turktrust has issued blindly even two SubCA certificates to normal users which then used these to create „forged” certificates. See e.g. here: http://googleonlinesecurity.blogspot.de/2013/01/enhancing-digital-certificate-security.html I think this shows that TurkTurst is not really trustworthy or competent enough to have their root certs included and thus they should be removed.
Reporter | ||
Comment 1•11 years ago
|
||
As rumours imply, Turktrust even found out about that itself in August 2011... but apparently they took no action. Throw them out.... immediately... not stupid back and forth questioning as with DigiNotar.
Comment 2•11 years ago
|
||
The discussion of this is happening in the dev.security.policy mailing list: https://lists.mozilla.org/listinfo/dev-security-policy Let's please keep the comments in this here to only the engineering work of removing the certs (if we decide to do so). Let's please use the dev.security.policy mailing list to for the debate about whether or not to do so, or whether to do something else.
Whiteboard: [Discussion on dev.security.policy, not in this bug please]
Comment 3•11 years ago
|
||
We should resolve this bug. I assume it is WONTFIX since we ended up giving TURKTrust EV treatment. We already distrusted the cert we know that TURKTrust mis-issued. Kathleen, please confirm.
Status: UNCONFIRMED → RESOLVED
Closed: 11 years ago
Flags: needinfo?(kwilson)
Resolution: --- → WONTFIX
Comment 4•11 years ago
|
||
(In reply to Brian Smith (:briansmith, was :bsmith@mozilla.com) from comment #3) > We should resolve this bug. I assume it is WONTFIX... > We already distrusted the cert we know that TURKTrust mis-issued. > Kathleen, please confirm. Yes, that is correct. Discussion was here: https://groups.google.com/d/msg/mozilla.dev.security.policy/aqn0Zm-KxQ0/dKcSqK4Xky0J
Flags: needinfo?(kwilson)
You need to log in
before you can comment on or make changes to this bug.
Description
•