TURKTRUST has the "TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H5" root included in the Mozilla program with the 'websites' trust bit enabled (not EV). Crt.sh identifies one unexpired and unrevoked subordinate CA [1], and 13 unexpired end-entity certificates signed by this root [2]. The audits for this root are either already expired (based on audit date) or nearly expired (based on the ETSI certificate expiration date) [3] [4].
TURKTRUST announced the suspension of their SSL business in 2016 [5]. TURKTRUST failed to respond to the January 2018 CA Communication. After repeated attempts, they did respond to my emails and posted a statement in the bug [6] including the following: The strategic decision mentioned above is actually suspending all SSL > business supporting activities that incur direct costs for TURKTRUST, > including suspending the ETSI and BR audits or OV and EV SSL related > insurance policies. We have also ceased our investment and studies on CT > and CAA requirements for the time being that are actually mandatory > criteria set by the CA/Browser Forum. > TURKTRUST has chosen not to request removal of the root, but I believe this is a clear case in which prompt removal of the root is necessary. I would appreciate everyone's constructive input on what action should be taken. - Wayne [1] https://crt.sh/?Identity=%25&iCAID=5766&exclude=expired [2] https://crt.sh/?Identity=%25&iCAID=5767&exclude=expired <https://crt.sh/?Identity=%25&iCAID=5767&exclude=expired> [3] https://bug1332435.bmoattachments.org/attachment.cgi?id=8828490 [4] https://www.tuvit.de/fileadmin/Content/TUV_IT/zertifikate/en/6749UE_s.pdf <https://cabforum.org/pipermail/public/2016-September/008475.html> [5] https://cabforum.org/pipermail/public/2016-September/008475.html <https://cabforum.org/pipermail/public/2016-September/008475.html> [6] https://bugzilla.mozilla.org/show_bug.cgi?id=1439127 _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy

