This request from the Government of Tunisia is to include the “Tunisian Root 
Certificate Authority - TunRootCA2” root certificate, and enable the Websites 
trust bit.

The request is documented in the following bug:

BR Self Assessment is here:

Summary of Information Gathered and Verified:

* Root Certificate Download URL:

* Documents are in French, translated in English
CP/CPS in French:

CP/CPS in English:

* CA Hierarchy: 
This root will have internally-operated subordinate CAs. 
Currently it has one internally-operated subordinate CA:
- Tunisian Server Certificate Authority - TunServerCA2

* This request is to turn on the Websites trust bit. EV treatment is not 

* CP/CPS of the Tunisian Server Certificate Authority PTC BR:

** Section 1.3.4: 
“In the context of this CP / CPS, a Server Certificate Responsible (SCR) is a 
natural person who is responsible for using the certificate of the server or 
computer device identified in the certificate and the private key corresponding 
to this certificate, on behalf of the entity identified in that certificate. 
The SCR is contractually, hierarchically or legally bound to this entity.”

** Section 3.2.2:
“Authentication of a client organization is done by checking the following 
The certificate application form duly completed and signed by the applicant, 
acting as a certificate request, containing in particular the postal address, 
the professional e-mail address and the telephone number enabling the NDCA to 
contact the future bearer;
• A copy of the National Identity Card, passport or residence card of the 
applicant and the SCR;
• An extract from the trade register not exceeding three months;
The bearer must be informed that the personal identity information he has 
provided for the registration file will be retained.
The verification and validation of the request are carried out in accordance 
with the provisions described in section 4.2.”

** Section 4.2.1:
"For the purpose of verifying the identities of the applicants, the RA, 
performs the following operations:
check the consistency of the registration dossier and the supporting documents 
verify the accuracy of the purchase order and payment;
verify that the organization holds the domain name by consulting the official 
databases of AFRINIC or INTERNIC domain names, and 
ensure that the SCR is aware of the terms and conditions applicable to the use 
of the certificate.
Upon completion of these transactions, the RA sends the request to the CA 
components responsible for certificate production. The RA then retains a copy 
of the proof of identity submitted in paper or electronic form having a legal 

* EV Policy OID: Not Requesting EV treatment 

* Test Websites
Valid certificate:
Revoked certificate:
Expired certificate:

* CRL URLs: 
CP/CPS section 2.3: A new CRL is published every 24 hours

OCSP responses have a maximum expiration time of 10 days.

* Audit: Annual audits are performed by LSTI according to the ETSI TS 102 042 
for CA and BR audit criteria.

* Forbidden or Problematic Practices 
None Noted

This begins the discussion of the request from the Government of Tunisia is to 
include the “Tunisian Root Certificate Authority - TunRootCA2” root 
certificate, and enable the Websites trust bit.

I will greatly appreciate your constructive and thoughtful feedback on this 

dev-security-policy mailing list

Reply via email to