On 17/03/2018 01:23, Wayne Thayer wrote:
TURKTRUST has the "TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H5"
root included in the Mozilla program with the 'websites' trust bit enabled
(not EV). Crt.sh identifies one unexpired and unrevoked subordinate CA [1],
and 13 unexpired end-entity certificates signed by this root [2]. The
audits for this root are either already expired (based on audit date) or
nearly expired (based on the ETSI certificate expiration date) [3] [4].


Note that 3 of those certificates are CA operational certificates, such
as for the required test URLs.  Thus only 10 true end certificates
remain, all of which will expire in less than 12 months (last two expire
2019-03-18).

TURKTRUST announced the suspension of their SSL business in 2016 [5].

TURKTRUST failed to respond to the January 2018 CA Communication. After
repeated attempts, they did respond to my emails and posted a statement in
the bug [6] including the following:

The strategic decision mentioned above is actually suspending all SSL
business supporting activities that incur direct costs for TURKTRUST,
including suspending the ETSI and BR audits or OV and EV SSL related
insurance policies. We have also ceased our investment and studies on CT
and CAA requirements for the time being that are actually mandatory
criteria set by the CA/Browser Forum.



Note, that if it is reasonably certain/validated that the only activity
is maintaining CRLs/OCSP for the remaining unexpired certificates, then
most of the updated BR requirements (such as CAA, CT and stricter
validation methods) become noops, since no validations are being done,
no CAA strings are accepted, no new certificates are issued etc.

We may thus be looking at the 12 months of an orderly shutdown of a
CA, as per section 5.8 of the standard CPS template, and might
reasonably consider accepting the lack of normal activity levels for
such a situation.  The BRs and Mozilla policy seem silent on the
subject,

The only critical thing that seems to be missing is a BR audit report to
confirm that no issuance is taking place and the revocation management
and CA private key protection is still being done properly.


TURKTRUST has chosen not to request removal of the root, but I believe this
is a clear case in which prompt removal of the root is necessary.

I would appreciate everyone's constructive input on what action should be
taken.

- Wayne

[1] https://crt.sh/?Identity=%25&iCAID=5766&exclude=expired
[2] https://crt.sh/?Identity=%25&iCAID=5767&exclude=expired
<https://crt.sh/?Identity=%25&iCAID=5767&exclude=expired>
[3] https://bug1332435.bmoattachments.org/attachment.cgi?id=8828490
[4]
https://www.tuvit.de/fileadmin/Content/TUV_IT/zertifikate/en/6749UE_s.pdf
<https://cabforum.org/pipermail/public/2016-September/008475.html>
[5] https://cabforum.org/pipermail/public/2016-September/008475.html
<https://cabforum.org/pipermail/public/2016-September/008475.html>
[6] https://bugzilla.mozilla.org/show_bug.cgi?id=1439127



Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to