{"id":1968,"date":"2015-04-27T13:12:40","date_gmt":"2015-04-27T20:12:40","guid":{"rendered":"https:\/\/blog.mozilla.org\/security\/?p=1968"},"modified":"2016-09-30T02:49:12","modified_gmt":"2016-09-30T09:49:12","slug":"removing-e-guven-ca-certificate","status":"publish","type":"post","link":"https:\/\/blog.mozilla.org\/security\/2015\/04\/27\/removing-e-guven-ca-certificate\/","title":{"rendered":"Removing e-Guven CA Certificate"},"content":{"rendered":"<p>The Certification Authority (CA) certificate owned by e-Guven Elektronik Bilgi Guvenligi A.S. will be removed in Firefox 38 due to insufficient and outdated audits.<\/p>\n<p>The integrity of the <a title=\"Secure Web\" href=\"http:\/\/en.wikipedia.org\/wiki\/HTTPS\" target=\"_blank\">secure Web<\/a> depends on CAs issuing <a title=\"PKI\" href=\"http:\/\/en.wikipedia.org\/wiki\/Public_key_certificate\" target=\"_blank\">certificates<\/a> that correctly attest to the identity of websites. Mozilla products ship a <a title=\"Mozilla Included CAs\" href=\"https:\/\/wiki.mozilla.org\/CA:IncludedCAs\" target=\"_blank\">default list<\/a> of CA certificates, which may change with each security patch or new version of the product. Inclusion of a CA certificate in Mozilla products involves a <a title=\"CA Inclusion Process Overview\" href=\"https:\/\/wiki.mozilla.org\/CA\" target=\"_blank\">rigorous process<\/a> and evaluation of the CA\u2019s public-facing policy documentation and audit statements, in order to verify that the CA conforms to the criteria required by <a title=\"Mozilla CA Certificate Inclusion Policy\" href=\"https:\/\/www.mozilla.org\/en-US\/about\/governance\/policies\/security-group\/certs\/policy\/inclusion\/\" target=\"_blank\">Mozilla\u2019s CA Certificate Inclusion Policy<\/a>.<\/p>\n<p>The CA certificates included in the Mozilla list can be marked as trusted for various purposes, so that the software can use the CA certificates to verify certificates for (1) SSL\/TLS servers, (2) S\/MIME email users, and\/or (3) digitally-signed code objects, without having to ask users for further permission or information. When a CA certificate is trusted for verifying certificates for SSL\/TLS servers, <a title=\"Mozilla CA Certificate Inclusion Policy\" href=\"https:\/\/www.mozilla.org\/en-US\/about\/governance\/policies\/security-group\/certs\/policy\/inclusion\/\" target=\"_blank\">Mozilla\u2019s CA Certificate Inclusion Policy<\/a> requires CAs to annually provide public-facing attestation from an independent party stating that they have audited the CA using one of the following two sets of criteria:<\/p>\n<blockquote><p>1) Clause 7, &#8220;Requirements on CA practice&#8221;, in ETSI TS 102 042 V2.3.1 or later version, <a title=\"ETSI TS 102 042\" href=\"http:\/\/webapp.etsi.org\/workprogram\/Report_WorkItem.asp?WKI_ID=41327\" target=\"_blank\">Policy requirements for certification authorities issuing public key certificates<\/a> (as applicable to the &#8220;EVCP&#8221; and &#8220;EVCP+&#8221; certificate policies, DVCP and OVCP certificate policies for publicly trusted certificates &#8211; baseline requirements, and any of the &#8220;NCP&#8221;, &#8220;NCP+&#8221;, or &#8220;LCP&#8221; certificate policies);<br \/>\nOR<br \/>\n2) WebTrust &#8220;<a title=\"WebTrust for CA 2.0\" href=\"http:\/\/www.webtrust.org\/homepage-documents\/item54279.pdf\" target=\"_blank\">Principles and Criteria for Certification Authorities 2.0&#8243; or later<\/a> and &#8220;<a title=\"WebTrust BR v1.1\" href=\"http:\/\/www.webtrust.org\/homepage-documents\/item72056.pdf\" target=\"_blank\">SSL Baseline Requirements Audit Criteria V1.1<\/a>&#8221; (as applicable to SSL certificate issuance) in <a title=\"WebTrust Program\" href=\"http:\/\/www.webtrust.org\/homepage-documents\/item27839.aspx\" target=\"_blank\">WebTrust Program for Certification Authorities<\/a><\/p><\/blockquote>\n<p>Despite many requests for E-Guven to provide current public-facing audit statements that meet the requirements of <a title=\"Mozilla CA Certificate Inclusion Policy\" href=\"https:\/\/www.mozilla.org\/en-US\/about\/governance\/policies\/security-group\/certs\/policy\/inclusion\/\" target=\"_blank\">Mozilla\u2019s CA Certificate Inclusion Policy<\/a>, the audit statement that Mozilla has for E-Guven indicates that the last supervision of E-Guven was held in 2013 and was not performed according to either of the above sets of criteria. Therefore, <a title=\"Discussion about E-Guven CA\" href=\"https:\/\/groups.google.com\/d\/msg\/mozilla.dev.security.policy\/LKJO9W5dkSY\/9VjSJhRfraIJ\" target=\"_blank\">discussion about this CA<\/a> was held in the <a title=\"mozilla.dev.security.policy\" href=\"https:\/\/www.mozilla.org\/en-US\/about\/forums\/#dev-security-policy\" target=\"_blank\">mozilla.dev.security.policy<\/a> forum, and the consensus was that E-Guven\u2019s root certificate should be <a title=\"Bugzilla Bug for E-Guven Root Removal\" href=\"https:\/\/bugzilla.mozilla.org\/show_bug.cgi?id=1145270\" target=\"_blank\">removed<\/a>.<\/p>\n<p>As always, we recommend that all users upgrade to the latest version of Firefox. This particular change will be in <a title=\"Rapid Release Calendar\" href=\"https:\/\/wiki.mozilla.org\/RapidRelease\/Calendar\" target=\"_blank\">Firefox 38<\/a> and future releases of Firefox.<\/p>\n<p>Mozilla Security Team<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The Certification Authority (CA) certificate owned by e-Guven Elektronik Bilgi Guvenligi A.S. will be removed in Firefox 38 due to insufficient and outdated audits. The integrity of the secure Web &hellip; <a class=\"go\" href=\"https:\/\/blog.mozilla.org\/security\/2015\/04\/27\/removing-e-guven-ca-certificate\/\">Read more<\/a><\/p>\n","protected":false},"author":581,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[45538,69],"tags":[],"coauthors":[45544],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v22.5 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Removing e-Guven CA Certificate - Mozilla Security Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blog.mozilla.org\/security\/2015\/04\/27\/removing-e-guven-ca-certificate\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Kathleen Wilson\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2015\/04\/27\/removing-e-guven-ca-certificate\/\",\"url\":\"https:\/\/blog.mozilla.org\/security\/2015\/04\/27\/removing-e-guven-ca-certificate\/\",\"name\":\"Removing e-Guven CA Certificate - Mozilla Security Blog\",\"isPartOf\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/#website\"},\"datePublished\":\"2015-04-27T20:12:40+00:00\",\"dateModified\":\"2016-09-30T09:49:12+00:00\",\"author\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/5cc0f3b46b6626ffb6e3b7c24fbf5063\"},\"breadcrumb\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/2015\/04\/27\/removing-e-guven-ca-certificate\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/blog.mozilla.org\/security\/2015\/04\/27\/removing-e-guven-ca-certificate\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2015\/04\/27\/removing-e-guven-ca-certificate\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/blog.mozilla.org\/security\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Removing e-Guven CA Certificate\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#website\",\"url\":\"https:\/\/blog.mozilla.org\/security\/\",\"name\":\"Mozilla Security Blog\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/blog.mozilla.org\/security\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/5cc0f3b46b6626ffb6e3b7c24fbf5063\",\"name\":\"Kathleen Wilson\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/image\/8d4547801f543f8990aecbcfc9c18eca\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/faede0fc9d625b79b41f567407337db6?s=96&d=identicon&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/faede0fc9d625b79b41f567407337db6?s=96&d=identicon&r=g\",\"caption\":\"Kathleen Wilson\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Removing e-Guven CA Certificate - Mozilla Security Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blog.mozilla.org\/security\/2015\/04\/27\/removing-e-guven-ca-certificate\/","twitter_misc":{"Written by":"Kathleen Wilson","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/blog.mozilla.org\/security\/2015\/04\/27\/removing-e-guven-ca-certificate\/","url":"https:\/\/blog.mozilla.org\/security\/2015\/04\/27\/removing-e-guven-ca-certificate\/","name":"Removing e-Guven CA Certificate - Mozilla Security Blog","isPartOf":{"@id":"https:\/\/blog.mozilla.org\/security\/#website"},"datePublished":"2015-04-27T20:12:40+00:00","dateModified":"2016-09-30T09:49:12+00:00","author":{"@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/5cc0f3b46b6626ffb6e3b7c24fbf5063"},"breadcrumb":{"@id":"https:\/\/blog.mozilla.org\/security\/2015\/04\/27\/removing-e-guven-ca-certificate\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blog.mozilla.org\/security\/2015\/04\/27\/removing-e-guven-ca-certificate\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/blog.mozilla.org\/security\/2015\/04\/27\/removing-e-guven-ca-certificate\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/blog.mozilla.org\/security\/"},{"@type":"ListItem","position":2,"name":"Removing e-Guven CA Certificate"}]},{"@type":"WebSite","@id":"https:\/\/blog.mozilla.org\/security\/#website","url":"https:\/\/blog.mozilla.org\/security\/","name":"Mozilla Security Blog","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/blog.mozilla.org\/security\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/5cc0f3b46b6626ffb6e3b7c24fbf5063","name":"Kathleen Wilson","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/image\/8d4547801f543f8990aecbcfc9c18eca","url":"https:\/\/secure.gravatar.com\/avatar\/faede0fc9d625b79b41f567407337db6?s=96&d=identicon&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/faede0fc9d625b79b41f567407337db6?s=96&d=identicon&r=g","caption":"Kathleen Wilson"}}]}},"_links":{"self":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts\/1968"}],"collection":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/users\/581"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/comments?post=1968"}],"version-history":[{"count":0,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts\/1968\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/media?parent=1968"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/categories?post=1968"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/tags?post=1968"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/coauthors?post=1968"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}