Thank you Andrew and Ryan for your feedback on this request to include the "TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1" root certificate, and enable the Websites trust bit.
Note that the new SHA-256 root certificate will replace the SHA1 “TÜBİTAK UEKAE Kök Sertifika Hizmet Sağlayıcısı - Sürüm 3” root certificate that is currently included, but expires on August 21, 2017. So, this CA will greatly appreciate prompt feedback from everyone. I have attached the updated version of the CPS (v1.0.1) to the bug: https://bug1262809.bmoattachments.org/attachment.cgi?id=8844549 Of course, all of this CA’s CPS changes will need to be propagated back to the Turkish version of the CPS, and to the CA's website. But let's see if there is any further feedback first. Andrew, does the updated CPS fully address your questions/concerns? Ryan, in regards to your feedback: 1) Domain Validation Methods For the CA, I recommend reviewing section 3.2.2.4 of version 1.4.1 of the CA/Browser Forum’s Baseline Requirements, because many of the relevant subsections are currently redacted in version 1.4.2 due to ongoing discussions in the CAB Forum. Nevertheless, the CA can review version 1.4.1 to further bolster their domain validation policies and practices. I am hoping that the CAB Forum will resolve the issues that caused the redaction of some sections of the BRs, such that a new version will be published by the end of March that has the same level of information about domain validation as version 1.4.1 of the BRs. Gerv and I plan to send a CA Communication around the end of March, and plan for one of the action items to require that CAs update their CP/CPS, because it should be updated annually. And also to update their domain validation practices and policies. 2) Qualified audit statement listing serial number generation deficiencies for the time period from September 30, 2016 to when it was fixed by the CA. There is a lag between when a BR is updated/adopted, and when the audit principles/criteria are adopted. So, I am not convinced that an audit during that time period would cover that particular control, and list it as an exception in the audit statement. Thanks, Kathleen _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy