Hi Peter, For the first question; you are right, the "OSC intermediate" certificate is to be used exclusively for OSC end certificates. And this intermediate chains directly to the "H5" root.
About your second question; yes we do have an enforcement mechanism to prohibit key reuse between OSC and other end entity certificates. Best Regards, Volkan Nergiz TURKTRUST, Inc. -----Original Message----- From: dev-security-policy [mailto:dev-security-policy-bounces+volkan.nergiz=turktrust.com...@lists.mozilla.org] On Behalf Of Peter Kurrasch Sent: Thursday, March 5, 2015 3:57 PM To: Volkan Nergiz; [email protected]; [email protected] Subject: Re: TurkTrust Root Renewal Request Hi Volkan, Thanks for your response. I think it addresses my concerns though I would like one final clarification: The "OSC intermediate" cert is, as I understand it, to be used exclusively for OSC end certs. Will this intermediate chain directly to the "H5" root or will there be other intermediates in between? I guess I have a second question: Does TurkTrust have a policy and enforcement mechanism to prohibit key reuse between OSC and other end entity certs? Thanks. Original Message From: Volkan Nergiz Sent: Tuesday, March 3, 2015 9:37 AM To: [email protected]; [email protected] Subject: Re: TurkTrust Root Renewal Request Dear All, The issue is actually quite clear and explicitly stated in TURKTRUST CP and CPS documents. Please see <http://dl.turktrust.com.tr/pdf/TURKTRUST-CP-v09-SSL.pdf> http://dl.turktrust.com.tr/pdf/TURKTRUST-CP-v09-SSL.pdf and <http://dl.turktrust.com.tr/pdf/TURKTRUST-CPS-v09-SSL.pdf> http://dl.turktrust.com.tr/pdf/TURKTRUST-CPS-v09-SSL.pdf for the English versions of TURKTRUST CP and CPS regarding SSL, EV SSL and Object Signing (OSC) certificate services. Currently, TURKTRUST has three explicit OIDs for SSL, EV SSL and OSC certificates as follows with dedicated policies: 1. TURKTRUST SSL Certificate Policy (2.16.792.3.0.3.1.1.2) covers OV SSL certificates for servers. SSL Certificates are issued and maintained in conformity with "Normalized Certificate Policy" defined in ETSI TS 102 042. 2. TURKTRUST OSC Policy (2.16.792.3.0.3.1.1.4) covers certificates related to object signing operations. OSC is issued and maintained in conformity with "Normalized Certificate Policy" defined in ETSI TS 102 042. 3. TURKTRUST EV SSL Policy (2.16.792.3.0.3.1.1.5) covers certificates related to EV SSL certificates. EV SSL certificates are issued and maintained in conformity with ""Extended Validity Certificate Policy" defined in ETSI TS 102 042. For EV SSL services, we have a separate EV root in our new hierarchies as mandated by the CA/Browser Forum EV Guidelines. This is the "TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H6" root certificate. For OV SSL and code signing (OSC), we have another separate root certificate, namely "TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H5" root certificate. For our qualified electronic certificate (QEC) services related to our e-signature based operations, we have a totally different root called H4. This is out of discussion in this context. Hence, the primary distinction related to our discussion is that we have two separate roots for EV SSL services and the others. The second distinction is that, we have separate sub-root certificates, i.e. intermediate certificates, for our OV SSL and OSC certificate services under the root H5. That is to say, all certificate types have different policies, different OIDs, different intermediates and different operational processes. We hope, these explanations clarify the issue for all. Should you have and further questions, please do not hesitate to contact us. Best regards, Volkan NERGİZ Quality Management System Specialist TURKTRUST Information Security Services Inc. Address: Hollanda Caddesi 696. Sokak No: 7 Yıldız, Çankaya 06550 - ANKARA Phone: (312) 439 10 00 - 226 Fax: (312) 439 10 01 E-Mail: <mailto:[email protected]> [email protected] Web: <http://www.turktrust.com.tr/> www.turktrust.com.tr _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
