All, I am closing the public discussion phase regarding this request. I will be recommending approval of the request to expand the top-level domain restriction to encompass the entire ccTLD of .tr.
Sincerely yours, Ben On Thu, Nov 3, 2022 at 12:03 PM Melis ŞİMŞEK <[email protected]> wrote: > Hi All, > > Kamu SM was established to meet the electronic certificate needs of all > public institutions and organizations with the legislation published in > Turkey. For this reason, in the process of adding our root certificate to > trusted root stores, it was foreseen that it would be appropriate to issue > SSL certificates only to public institutions, taking into account our > customer profile. However, as a result of a regulation that came into force > in our country in the past months, we have become able to issue electronic > certificates to the private sector in some areas. Therefore, our customer > profile and their needs are changing. > > It should be noted that we had been auditing by Internal Government > Auditing Agency with encompasses all requirements of ETSI audits before > 2018. And then, as Ben stated, Kamu SM has been audited within the scope of > ETSI EN 319 411-1 by an international qualified auditor since 2018. In > addition, to the best of our knowledge, there is no specific restriction > for government CAs in the Mozilla Root Store Policy or CA/Browser Baseline > Requirements. Considering that we provide the necessary conditions, in > order to meet our customers need, we also want to provide our SSL > certificate product to all demanding institutions in Turkey instead of > limiting it to only public institutions. > > PS: Apologies if you receive this reply twice, I tried posting it before > and I think it failed. > > M. Melis ŞİMŞEK > > Kamu Sertifikasyon Merkezi (KAMU SM) > > 3 Kasım 2022 Perşembe tarihinde saat 02:37:06 UTC+3 itibarıyla > [email protected] şunları yazdı: > >> Hi Matt, >> Here is a comment that says they offered to constrain it - >> https://bugzilla.mozilla.org/show_bug.cgi?id=1262809#c33 >> The public discussion thread also indicates the same - >> https://groups.google.com/g/mozilla.dev.security.policy/c/vjXyml8Hy-E/m/5JUs8e3YDAAJ >> . >> Ben >> >> >> >> On Wed, Nov 2, 2022 at 5:26 PM Matt Palmer <[email protected]> wrote: >> >>> On Wed, Nov 02, 2022 at 09:16:37AM -0600, Ben Wilson wrote: >>> > We have received a request from Kamu Sertifikasyon Merkezi (KamuSM) ( >>> > https://kamusm.bilgem.tubitak.gov.tr/) to expand its TLD restriction >>> in NSS >>> > to the .tr ccTLD level to meet the needs of its customers in Turkey. >>> (Its >>> > root is TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1 >>> > < >>> https://crt.sh/?sha256=46EDC3689046D53A453FB3104AB80DCAEC658B2660EA1629DD7E867990648716 >>> >.) >>> > Currently, it is restricted at the subdomain level in NSS code to >>> certain >>> > subdomains under the .tr ccTLD (gov.tr, k12.tr, pol.tr, mil.tr, tsk.tr >>> , >>> > kep.tr, bel.tr, edu.tr and org.tr.). However, KamuSM currently >>> receives >>> > many certificate requests for other domain names ending with “.tr”, >>> and it >>> > is unable to provide TLS server certificates to those customers. >>> >>> Does anyone have an easily-to-hand pointer to the reasoning for the >>> original >>> name constraint being applied? (Lazyweb ftw!) >>> >>> - Matt >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "[email protected]" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To view this discussion on the web visit >>> https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/Y2L8kd1X8NjQJUS7%40hezmatt.org >>> . >>> >> -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaapf%3D-fB0SHGS4LLVmEBH%2BdmGnw_agUdn7q_5LPqzTcbA%40mail.gmail.com.
