Mozilla Security Blog
Categories: CA Program Security

Removing e-Guven CA Certificate

Kathleen Wilson

3 responses

The Certification Authority (CA) certificate owned by e-Guven Elektronik Bilgi Guvenligi A.S. will be removed in Firefox 38 due to insufficient and outdated audits.

The integrity of the secure Web depends on CAs issuing certificates that correctly attest to the identity of websites. Mozilla products ship a default list of CA certificates, which may change with each security patch or new version of the product. Inclusion of a CA certificate in Mozilla products involves a rigorous process and evaluation of the CA’s public-facing policy documentation and audit statements, in order to verify that the CA conforms to the criteria required by Mozilla’s CA Certificate Inclusion Policy.

The CA certificates included in the Mozilla list can be marked as trusted for various purposes, so that the software can use the CA certificates to verify certificates for (1) SSL/TLS servers, (2) S/MIME email users, and/or (3) digitally-signed code objects, without having to ask users for further permission or information. When a CA certificate is trusted for verifying certificates for SSL/TLS servers, Mozilla’s CA Certificate Inclusion Policy requires CAs to annually provide public-facing attestation from an independent party stating that they have audited the CA using one of the following two sets of criteria:

1) Clause 7, “Requirements on CA practice”, in ETSI TS 102 042 V2.3.1 or later version, Policy requirements for certification authorities issuing public key certificates (as applicable to the “EVCP” and “EVCP+” certificate policies, DVCP and OVCP certificate policies for publicly trusted certificates – baseline requirements, and any of the “NCP”, “NCP+”, or “LCP” certificate policies);
OR
2) WebTrust “Principles and Criteria for Certification Authorities 2.0″ or later and “SSL Baseline Requirements Audit Criteria V1.1” (as applicable to SSL certificate issuance) in WebTrust Program for Certification Authorities

Despite many requests for E-Guven to provide current public-facing audit statements that meet the requirements of Mozilla’s CA Certificate Inclusion Policy, the audit statement that Mozilla has for E-Guven indicates that the last supervision of E-Guven was held in 2013 and was not performed according to either of the above sets of criteria. Therefore, discussion about this CA was held in the mozilla.dev.security.policy forum, and the consensus was that E-Guven’s root certificate should be removed.

As always, we recommend that all users upgrade to the latest version of Firefox. This particular change will be in Firefox 38 and future releases of Firefox.

Mozilla Security Team

3 comments on “Removing e-Guven CA Certificate”

  1. Chad wrote on

    Good job but keep going.

  2. some wrote on

    Why is CINIC still in “trusted”?

    1. laconic wrote on

      CNNIC is still “trusted” only for what they’ve currently got issued. Firefox ships with a list of hashes of all known CNNIC-issued certificates, all others from CNNIC are considered invalid.