The TunrootCA2 root operates under the following CPS:

The TunserverCA2 subordinate CA operates under a different CPS:

I have reviewed the supplied BR Self Assessment, the CPSes, and related 
information, and have the following comments:

* Misissued certificates reported earlier in this thread have been revoked

* Numerous warning level lint errors in issued certificates:,zlint,x509lint&minNotBefore=2017-01-01
* From the US, the server is returning an error or taking more than one minute 
to deliver the CRL at ( is 
also timing out)
* The great majority of certificates issued by this CA fall under the .tn TLD; 
however, the Government of Tunisia has not requested that the root be 
constrained to issuance for .tn names.
* The subordinate CA certificate contains no EKU extension so is not 
constrained to issuing certain types of certificates.
* Delegated 3rd parties are permitted. The CPS does not clearly state the BR 
requirement that domain validation may not be performed by a delegated third 
* The only method of domain validation specified in the BR Self Assessment is 
the now deprecated How and when will the Government of Tunisia 
comply with CA/Browser Forum ballot 218?
* The Government of Tunisia’s answer for wildcard domain validation in their BR 
Self Assessment implies the use of method, but they claim not to use 
that method in the same document.
* CPS section 4.9.2 does not permit a person who controls a domain name 
contained in a certificate to request revocation unless they are the Subscriber 
or the Subscriber's legal representative.

* Missing SAN entries: This CA continues 
to misissue certificates, so the manual controls described earlier in this 
thread are inadequate.
* The current subordinate CA CPS is dated October-2016. The current root CPS is 
dated July-2015. Mozilla policy requires annual CPS updates.
* The CPS does not comply with the BR requirement to document support for 
Certificate Authority Authorization (CAA). Has CAA been implemented?
* The CPS does not describe how domain validation is performed and which of the 
BR methods are utilized as required by Mozilla policy section 2.2.
* The CPS claims in section 4.2.1 that the databases of regional IP address 
registries are used to verify domain control. Please explain how this is 

Next steps:
1. I would ask a representative of the Government of Tunisia to answer the 
above questions.
2. The CPS issues need to be corrected and new versions published.
3. Given the ongoing misissuance, I would not recommend approval of this 
request until pre-issuance linting has been implemented.

dev-security-policy mailing list

Reply via email to