KamuSM request to Expand to .tr ccTLD

713 views
Skip to first unread message

Ben Wilson

unread,
Nov 2, 2022, 11:16:48 AM11/2/22
to dev-secur...@mozilla.org
All,

We have received a request from Kamu Sertifikasyon Merkezi (KamuSM) (https://kamusm.bilgem.tubitak.gov.tr/) to expand its TLD restriction in NSS to the .tr ccTLD level to meet the needs of its customers in Turkey. (Its root is TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1.) Currently, it is restricted at the subdomain level in NSS code to certain subdomains under the .tr ccTLD (gov.tr, k12.tr, pol.tr, mil.tr, tsk.tr, kep.tr, bel.tr, edu.tr and org.tr.). However, KamuSM currently receives many certificate requests for other domain names ending with “.tr”, and it is unable to provide TLS server certificates to those customers.

KamuSM has had no recent incidents reported. It is audited under ETSI EN 319 411-1 by Kiwa.  See https://www.kiwa.com/4a8d6c/globalassets/italy/eidas-certificates/tubitak_2022_signed.pdf.

This email begins a 3-week period for public discussion and comment, which I’m scheduling to close on or about November 23, 2022, after which, if no concerns are raised, we will close the discussion and the request may proceed to the approval phase.

I urge anyone with concerns or questions to raise them on this list by replying directly in this discussion thread. Likewise, a representative of KamuSM must promptly respond directly in the discussion thread to all questions that are posted.

Thanks,

Ben Wilson
Mozilla Root Program Manager

Matt Palmer

unread,
Nov 2, 2022, 7:26:23 PM11/2/22
to dev-secur...@mozilla.org
On Wed, Nov 02, 2022 at 09:16:37AM -0600, Ben Wilson wrote:
> We have received a request from Kamu Sertifikasyon Merkezi (KamuSM) (
> https://kamusm.bilgem.tubitak.gov.tr/) to expand its TLD restriction in NSS
> to the .tr ccTLD level to meet the needs of its customers in Turkey. (Its
> root is TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1
> <https://crt.sh/?sha256=46EDC3689046D53A453FB3104AB80DCAEC658B2660EA1629DD7E867990648716>.)
> Currently, it is restricted at the subdomain level in NSS code to certain
> subdomains under the .tr ccTLD (gov.tr, k12.tr, pol.tr, mil.tr, tsk.tr,
> kep.tr, bel.tr, edu.tr and org.tr.). However, KamuSM currently receives
> many certificate requests for other domain names ending with “.tr”, and it
> is unable to provide TLS server certificates to those customers.

Does anyone have an easily-to-hand pointer to the reasoning for the original
name constraint being applied? (Lazyweb ftw!)

- Matt

Ben Wilson

unread,
Nov 2, 2022, 7:37:06 PM11/2/22
to Matt Palmer, dev-secur...@mozilla.org
Hi Matt,
Here is a comment that says they offered to constrain it - https://bugzilla.mozilla.org/show_bug.cgi?id=1262809#c33
The public discussion thread also indicates the same - https://groups.google.com/g/mozilla.dev.security.policy/c/vjXyml8Hy-E/m/5JUs8e3YDAAJ.
Ben



--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/Y2L8kd1X8NjQJUS7%40hezmatt.org.

Melis ŞİMŞEK

unread,
Nov 3, 2022, 2:08:45 PM11/3/22
to dev-secur...@mozilla.org, bwi...@mozilla.com, dev-secur...@mozilla.org, Matt Palmer
Hi All,

Kamu SM was established to meet the electronic certificate needs of all public institutions and organizations with the legislation published in Turkey. For this reason, in the process of adding our root certificate to trusted root stores, it was foreseen that it would be appropriate to issue SSL certificates only to public institutions, taking into account our customer profile. However, as a result of a regulation that came into force in our country in the past months, we have become able to issue electronic certificates to the private sector in some areas. Therefore, our customer profile and their needs are changing.

It should be noted that we had been auditing by Internal Government Auditing Agency with encompasses all requirements of ETSI audits before 2018. And then, as Ben stated, Kamu SM has been audited within the scope of ETSI EN 319 411-1 by an international qualified auditor since 2018. In addition, to the best of our knowledge, there is no specific restriction for government CAs in the Mozilla Root Store Policy or CA/Browser Baseline Requirements. Considering that we provide the necessary conditions, in order to meet our customers need, we also want to provide our SSL certificate product to all demanding institutions in Turkey instead of limiting it to only public institutions.

PS: Apologies if you receive this reply twice, I tried posting it before and I think it failed.

M. Melis ŞİMŞEK

Kamu Sertifikasyon Merkezi (KAMU SM)

3 Kasım 2022 Perşembe tarihinde saat 02:37:06 UTC+3 itibarıyla bwi...@mozilla.com şunları yazdı:

Ben Wilson

unread,
Nov 28, 2022, 12:05:22 PM11/28/22
to dev-secur...@mozilla.org
All,

I am closing the public discussion phase regarding this request. I will be recommending approval of the request to expand the top-level domain restriction to encompass the entire ccTLD of .tr.

Sincerely yours,

Ben
Reply all
Reply to author
Forward
0 new messages