TurkTrust has applied to include the SHA-256 "TÜRKTRUST Elektronik
Sertifika Hizmet Sağlayıcısı H5" and "TÜRKTRUST Elektronik Sertifika
Hizmet Sağlayıcısı H6" root certificates; turn on the Websites trust bit
for both roots, turn on the Code Signing trust bit for the H5 root, and
enable EV treatment for the H6 root. TurkTrust's SHA-1 root certificates
were included in NSS via Bugzilla Bug #380635 and Bug #433845.
TurkTrust Information Security Services Inc. is an IT company based in
Turkey. TurkTrust is an authorized qualified electronic certificate
service provider according to the Turkish Electronic Signature Law.
TurkTrust issues qualified certificates, time-stamping services, SSL
certificates, and object signing certificates.
The request is documented in the following bug:
https://bugzilla.mozilla.org/show_bug.cgi?id=1007683
And in the pending certificates list:
http://www.mozilla.org/projects/security/certs/pending/
Summary of Information Gathered and Verified:
https://bugzilla.mozilla.org/attachment.cgi?id=8563503
Noteworthy points:
* The primary documents are in Turkish and English
Document Repository: http://www.turktrust.com.tr/en/bilgi-deposu
English versions:
CP (SSL, EVSSL, OSC):
http://dl.turktrust.com.tr/pdf/TURKTRUST-CP-v09-SSL.pdf
CPS (SSL, EVSSL, OSC):
http://dl.turktrust.com.tr/pdf/TURKTRUST-CPS-v09-SSL.pdf
* CA Hierarchy: Both roots have internally-operated subordinate CAs,
that are available here:
http://www.turktrust.com.tr/en/bilgi-deposu/kok-sertifikalari-kurulumu-ve-iptal-listeleri/
** The H5 root information is in the "5th Root Hierarchy" section, with
the following subCAs:
- SSL subCA: TURKTRUST Electronic Server Certificate Services Certificate
- Non-QEC subCA: TURKTRUST Simple Electronic Certificate Services
Certificate
- Code-Signing subCA: TURKTRUST Object Signing Services Certificate
** The H6 Root is in the "6th Root Hierarchy" section, with the
following subCA:
- EV SSL subCA: TURKTRUST Electronic Server Certificate Services
Certificate (EVSSL)
* This request is to turn on the Websites trust bit for both roots, turn
on the Code Signing trust bit for the H5 root, and enable EV treatment
for the H6 root.
** Domain/e-mail validation is performed by TURKTRUST CA and is not
delegated to any third party.
** The following e-mail address prefixes are used for domain
verification: "admin", "administrator", "webmaster", "hostmaster" or
"postmaster".
** CPS Section 1.2: TURKTRUST OSC Policy (2.16.792.3.0.3.1.1.4) covers
certificates related to object signing operations. OSC is issued and
maintained in conformity with "Normalized Certificate Policy" defined in
ETSI TS 102 042.
** Section 1.6.2: Object Signing Certificate (OSC): The certificate that
verifies the owner of the source code of software that can be executed
on a computer.
** Section 3.1.5.3. OSC: DN in TURKTRUST OSC is formed as below:
- "CN" contains complete name of the subscriber, which is based on the
official documentation according to the legislation of residence.
** Section 3.2.2: In cases where a certificate contains the name of a
legal entity shall be verified against the official documents of the
country of residence of the applicant.
** CPS section 3.2.2.1. SSL or OSC: The name of legal entity is verified
against the official documents of the country of residence of the
applicant. Verification herein is executed according to the TURKTRUST
procedures.
For SSL and OSC applications, different control steps are applied
depending on whether the request is domestic or foreign. The residential
address of the subscriber is based on while determining of such
distinction. Subscribers' legal existence and credentials, domain name,
applicant's representative's and application's existence, CSR
information and so forth informations should be verified This
verification is done with a unique user name and activation code sent to
the authorized person's e-mail address.
** CPS section 3.2.2.2, EV SSL: In verification of an EV SSL
application, minimum criteria to be met are as follows:
- The name of legal entity is verified against the official documents of
the country of residence of the applicant. Additional to this
verification, circular of signature or an equivalent official document
in applicable legislation, showing the authority of the applicant to act
on behalf of the legal entity is required.
- Operational existence of the legal entity is confirmed via a third
party, who is a buyer of a product or service of the legal entity. Where
possible, an official document, obtained from a public agency or a
legally authorized person to do so, proving the operational existence
suffices to verify.
- Address of the legal entity's place of business is verified according
to the legal documents of the country of residence. Moreover, telephone
numbers, submitted by the applicant, are checked if they are exactly
matched with the official records. In case of mismatch, correction is
required. Verified telephone is the called for applicant to confirm the
application.
- The e-mail address submitted by the authorized person who conducts the
application operations on behalf of the subscriber should be verified.
This verification is done with a unique user name and activation code
sent to the authorized person's e-mail address.
- The following conditions should be met as well:
-- The legal entity is the owner of the DNS registry, or
-- The legal entity is given the exclusive right and authority to use
the DNS name.
All conditions that apply for authentication of legal entity for an EV
SSL applicant are given in Appendix. Given the conditions here, the
process of authentication of legal persons is conducted according to the
TURKTRUST procedures.
* EV Policy OID: 2.16.792.3.0.3.1.1.5
* Root Cert URLs
http://www.turktrust.com.tr/sertifikalar/TURKTRUST_Elektronik_Sertifika_Hizmet_Saglayicisi_h5.crt
http://www.turktrust.com.tr/sertifikalar/TURKTRUST_Elektronik_Sertifika_Hizmet_Saglayicisi_h6.crt
* Test Websites
https://testsuite12001.turktrust.com.tr
https://testsuite12002.turktrust.com.tr
* CRL
http://www.turktrust.com.tr/sil/TURKTRUST_SSL_SIL_h5.crl
http://www.turktrust.com.tr/sil/TURKTRUST_Kok_SIL_h5.crl
http://www.turktrust.com.tr/sil/TURKTRUST_EV_SSL_SIL_h6.crl
http://www.turktrust.com.tr/sil/TURKTRUST_Kok_SIL_h6.crl
* OCSP
http://ocsp.turktrust.com.tr/
* Audit: Annual audits are performed by TUVIT, according to the ETSI TS
102 042 criteria.
https://www.tuvit.de/en/certification-overview-1265-trusted-site-etsi-certificates-1334.htm
* Potentially Problematic Practices
(http://wiki.mozilla.org/CA:Problematic_Practices)
** None Noted.
This begins the discussion of the request from TurkTrust to include the
SHA-256 "TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H5" and
"TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H6" root
certificates; turn on the Websites trust bit for both roots, turn on the
Code Signing trust bit for the H5 root, and enable EV treatment for the
H6 root.
At the conclusion of this discussion I will provide a summary of issues
noted and action items. If there are outstanding issues, then an
additional discussion may be needed as follow-up. If there are no
outstanding issues, then I will recommend approval of this request in
the bug.
Kathleen
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
