826666 - remove turktrust certificates

Status: RESOLVED WONTFIX

(NSS :: CA Certificates Code, task)

Description

[Christoph Anton Mitterer]

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20100101 Firefox/17.0 Iceweasel/17.0.1
Build ID: 20121201094343



Actual results:

As found out by Google, Turktrust has issued blindly even two SubCA certificates to normal users which then used these to create „forged” certificates.

See e.g. here: http://googleonlinesecurity.blogspot.de/2013/01/enhancing-digital-certificate-security.html

I think this shows that TurkTurst is not really trustworthy or competent enough to have their root certs included and thus they should be removed.

Comment 1

[Christoph Anton Mitterer]

As rumours imply, Turktrust even found out about that itself in August 2011... but apparently they took no action.

Throw them out.... immediately... not stupid back and forth questioning as with DigiNotar.

Comment 2

[Brian Smith (:briansmith, :bsmith, use NEEDINFO?)]

The discussion of this is happening in the dev.security.policy mailing list:
https://lists.mozilla.org/listinfo/dev-security-policy

Let's please keep the comments in this here to only the engineering work of removing the certs (if we decide to do so). Let's please use the dev.security.policy mailing list to for the debate about whether or not to do so, or whether to do something else.

Comment 3

[Brian Smith (:briansmith, :bsmith, use NEEDINFO?)]

We should resolve this bug. I assume it is WONTFIX since we ended up giving TURKTrust EV treatment. We already distrusted the cert we know that TURKTrust mis-issued. Kathleen, please confirm.

Comment 4

[Kathleen Wilson]

(In reply to Brian Smith (:briansmith, was :bsmith@mozilla.com) from comment #3)
> We should resolve this bug. I assume it is WONTFIX...
> We already distrusted the cert we know that TURKTrust mis-issued. 
> Kathleen, please confirm.

Yes, that is correct.

Discussion was here: https://groups.google.com/d/msg/mozilla.dev.security.policy/aqn0Zm-KxQ0/dKcSqK4Xky0J