Closed Bug 511380 Opened 15 years ago Closed 10 years ago

Add NIC (India) Root CA Certificate

Categories

(CA Program :: CA Certificate Root Program, task)

Product:
CA Program
Component:
CA Certificate Root Program
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: nic123ca, Assigned: kathleen.a.wilson)

References

Details

(Whiteboard: Public Discussion Action Items - Update CPS)

Attachments

(10 files)

NICCA certificate
1.51 KB, application/x-x509-ca-cert
Details
CCA Root Certificate
1.14 KB, application/x-x509-ca-cert
Details
NICCA Hierarchy
31.71 KB, image/jpeg
Details
Initial Information Gathering Document
34.19 KB, application/pdf
Details
Inputs to Initial Information Gathering Document
25.00 KB, application/msword
Details
Audit Equivalency Certificate
119.82 KB, application/pdf
Details
Contact Details of Mr.Debopriya Kar
23.50 KB, application/msword
Details
Audit Equivalency Certificate of NICCA - 2010
389.26 KB, application/pdf
Details
Completed Information Gathering Document
163.51 KB, application/pdf
Details
Updated Information Gathering Document
186.31 KB, application/pdf
Details 
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2
Build Identifier: 

1.	General information about the CA’s associated organization (i.e., the company, nonprofit organization, or government agency operating the CA)
      1. Name – National Informatics Centre 
      2. Website URL – https://nicca.nic.in 
      3. Organizational type – Government
      4. Primary market / customer base – Issued to subscribers in the 
         Government, PSU, Statutory Bodies, and Govt. Registered Companies in
         India.
2.	For each root CA whose certificate is to be included in Mozilla (or whose metadata is to be modified): 
         1. The name of the root CA – NIC Certifying Authority
         2. The root CA certificate – https://nicca.nic.in
         3. The X.509 certificate version – Version 3
         4. SHA-1 fingerprint - 48 22 82 4e ce 7e d1 45 0c 03 9a a0 77 dc 1f 8a 
            e3 48 9b bf
         5. Type of signing key - RSA 
         6. Signing key parameters - 2048 bits 
         7. Valid from (YYYY-MM-DD) - Monday, July 02, 2007 12:11:59 PM
         8. Valid to (YYYY-MM-DD) - Saturday, July 04, 2015 12:00:00 PM
         9. A description of the PKI hierarchy rooted at or otherwise 
            associated with this root CA certificate, including: 
             1.	A list (or summary description) of CAs with certificates signed
                by this root – NICCA - Sub-CA for e-passport 
             2.	A list of any other root CAs that have issued cross-signing 
                certificates for this root CA- No
             3.	The extent and nature of contractual and technical controls
                exercised over subordinate CAs – Sub-CAs are created for
                different organizations and agencies, for ease of operations 
                and management. Sub-CAs are created purely in a technical
                context, to be part of the NICCA’s technical infrastructure.
                The keys created for Sub-Ca are located only on NICCA’s 
                technical infrastructure.
                    1.	Whether or not subordinate CAs are constrained to issue
                        certificates only within certain domains. Sub-CAs can
                        issue Certificates only in the specified domain for
                        which the sub-CA has been created. Agencies for whom
                        the Sub-CAs are created have to be reflected in the
                        corresponding certificate as ‘NICCA – Sub-CA for <name
                        of agency for whom Sub-CA has been set up>’. 
                   2.	Whether or not subordinate CAs can create their own
                        subordinates. No. The certificate issuing authority for
                        the Sub-CA always remains only with NICCA. 
             4.	The extent and nature of audits performed against subordinate
                CAs, including –NICCA - Sub-CA for e-passport
                   1.	Whether or not subordinate CAs are included within the
                        scope of any audit(s) done against the root CA. 
                   2.	Whether or not subordinate CAs are subject to 
                        third-party audits independent of any audit(s) done   
                        against the root CA. 
                   3.	The frequency at which any audit(s) for subordinate CAs 
                        are done. 
         10. Whether certificates are issued for any of the following purposes 
             within the hierarchy rooted at this root CA certificate: 
             1.	Certificates usable for enabling web or other servers to 
                support SSL/TLS connections. Yes 
             2.	Certificates usable for signing and encrypting email messages 
                e.g., using S/MIME). Yes 
             3.	Certificates usable for digitally signing executable code 
                objects. Yes 
       11. If SSL certificates are issued within the hierarchy rooted at this 
           root CA certificate: 
             1.	Whether or not the domain name referenced in the certificate is 
               verified to be owned/controlled by the certificate subscriber - 
               Yes
             2.	Whether or not the value of the Organization attribute is 
                verified to be that associated with the certificate subscriber 
                - Yes 
             3.	Whether verification of the certificate subscriber conforms to 
                the Extended Validation Certificate Guidelines issued by the 
                CAB Forum – Not issued
       12. If email certificates are issued within the hierarchy rooted at this 
           root CA certificate: 
             1.	Whether or not the email account associated with the email 
                address in the certificate is verified to be owned/controlled 
                by the certificate subscriber – Yes verification is done
             2.	Whether or not the identity information in the certificate is 
                verified to be that of the certificate subscriber - Yes 
                verification is done
       13. If code signing certificates are issued within the hierarchy rooted 
           at this root CA certificate, whether or not the identity information 
           in the certificate is verified to be that of the certificate 
           subscriber – Yes verification is done
       14. If EV certificates are issued within the hierarchy rooted at this 
           root, the EV policy OID(s) associated with those EV certificates – 
           Not issued 
       15. Example certificate(s) issued within the hierarchy rooted at this 
           root, including the full certificate chain(s) where applicable – 
           Examples will be included at the time of submission (There should be 
           at least one example certificate for each of the major types of 
           certificates issued, e.g., email vs. SSL vs. code signing, or EV vs. 
           OV vs. DV. For SSL certificates this should also include URLs of one 
           or more web servers using the certificate(s).) 
     16. Whether or not the validity of end entity and CA certificates issued   
         within the hierarchy rooted at this root may be verified using 
         Certificate Revocation Lists (CRLs) and, if so, the URL(s) at which 
         the CRL(s) may be obtained – https://nicca.nic.in/crl_2783.crl
     17. Whether or not the validity of end entity and CA certificates issued 
         within the hierarchy rooted at this root may be verified using the 
         Online Certificate Status Protocol (OCSP) and, if so, the URL(s) for 
         the associated OCSP responder(s) – Currently not provided
     18. The maximum time elapsing from the revocation of an end entity or CA 
         certificate until CRLs and/or OCSP responders are updated to reflect 
         that revocation – CRL updated immediately after the 
         suspension/revocation
     19. The published document(s) describing how certificates are issued 
         within the hierarchy rooted at this root, as well as other practices 
         associated with the root CA and other CAs in the hierarchy, including 
         in particular the Certification Practice Statement(s) (CPS) and 
         related documents – https://nicca.nic.in/pdf/niccacps.pdf
     20. The published document(s) relating to independent audit(s) of the root 
         CA and any CAs within the hierarchy rooted at the root. (For example, 
         for WebTrust for CAs audits this would be the "audit report and 
         management assertions" document available from the webtrust.org site 
         or elsewhere.) – not publicly available 


Reproducible: Always
Accepting this bug, and starting the Information Gathering and Verification phase as described at https://wiki.mozilla.org/CA:How_to_apply
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
On the NIC website I found the zip file containing the certs as follows

Download Certificate Chain (NICCA & CCA certs): http://nicca.nic.in/cert/chain.zip

However, I am unable to extract the files from the .zip file. 
I get an error about unknown compression method.

Would you please attach the NIC CA root cert to this bug? Use uncompressed, .crt or .cer format.
Thank you for your email. As desired by you, I am attaching the requisite file. However, before I proceed further, I would like to give you a brief background.
 
National Informatics Centre(NIC), is a premier IT Organisation of the Department of Information Technology,  Govt. of India, has been instrumental in steering Information and Technology applications in various Government Departments at Central, State and District levels. NIC has set up the state of art  Certifying Authority (NICCA) in May, 2003, under license from the Controller of Certifying Authorities  (CCA).

The Government of India established the CCA, under section 17 of the Information Technology (IT) Act 2000, an Act which was passed by the Indian Parliament in June 2000. The Act defines the legal and administrative framework for establishment of a Public Key Infrastructure (PKI) in the country for creating trust in the electronic environment. The CCA is the apex regulatory body to issue license to Certifying Authorities, in accordance with the provisions of the IT Act 2000. 

CCA has set up the The Root Certifying Authority of India (RCAI), which is at the root of trust in the hierarchical PKI established in the country. The Certifying Authorities, which meet the requisite criteria specified in the IT Act 2000, are issued licenses to operate by CCA and come under the RCAI.  As on date, there are eight CAs that are operating under RCAI in India and NICCA is one of them.

Having given you this brief background, I am attaching the file which contains the NICCA trust chain i.e. both the NICCA Certificate and the CCA Root Certificate. 

Best Regards,

Prateek Kr Saha
Chief Operations Manager, NICCA
Attached file NICCA certificate 
I am attaching both NICCA Certificate and the CCA Root Certificate for the complete trust chain.
Attached file CCA Root Certificate 
I am attaching both NICCA Certificate and the CCA Root Certificate for the complete trust chain.
It looks like “CCA India 2007” is the root certificate, and “NIC Certifying Authority” is an intermediate CA.
Mozilla only includes root certificates, not intermediate CAs.
An official representative of the organization that operates the CCA root will need to request inclusion of the root.
We have the technical capability to treat any CA certificate as a trust anchor,
whether it's a root or not.  So, in cases where a root does not qualify under
Mozilla's policy, or chooses not to apply, but a subordinate CA does qualify
and does apply, it is feasible for Mozilla to go ahead an approve the cert 
for that subordinate CA to be treated like a root in Mozilla's trusted list.

Now, some policy questions arise when considering such a case.  For example:
1) if a subordinate CA applies for admission to Mozilla's list, and its 
superior root CA does not apply, how long should Mozilla wait before deciding
to go ahead and and grant trust anchor status to the subordinate?  

I suppose these questions are best discussed in the policy discussion group.
We've discussed this in the past and the resolution is exactly as Nelson explained it. Some concerns could be raised, but none apply to this case IIRC. Therefore this request should enter the queue for public discussion after the normal procedures.
The contents of Comment #6 & Comment #7 has to be seen in the Indian context. I would like to point out that in the Indian PKI regime, NICCA is not an intermediate CA or Sub-CA, in the real sense. This is further explained in the  following lines wherein I have tried to present the Indian PKI model. 

Controller of Certifying Authorities (CCA) is the government Licensing and Regulatory Authority, which has been set up under the Information Technology (IT) Act 2000. The IT Act was passed by the Indian Parliament in June 2000 and defines the legal and administrative framework for establishment of a PKI in the country. The  Act requires that for a Digital Signature Certificate to be valid in an Indian court of law, it has to be issued by a Certifying Authority which has been licensed to operate by the CCA. 

CCA has set up the The Root Certifying Authority of India (RCAI), which is at the root of trust in the well established hierarchical PKI system in the country. The CCA issues license to a Certifying Authority only after overseeing and ensuring the compliance of the “Technical Requirements” and  “Operating Standards” under the IT Act 2000, by the participating CA. These standards are at par with the existing international practices and a comparison between the audit program requirements of CCA and WebTrust shows a clear equivalence. As on date, there are eight CAs that are operating under RCAI in India and NICCA is one of them.

So in the Indian PKI hierarchy, CCA operates a root CA, but technically it is a licensing body whose end entity is a CA only. It may please be noted that CCA does not issue certificates to individuals. Only the licensed CAs in India issue certificates to the general public and others, in accordance with the respective CA’s CPS.

The point in Comment #7 for inclusion of CCA’s Certificate is well taken. It may be reiterated here that CCA is a facilitator for the proliferation of PKI technology in India and NICCA would approach CCA in due course with a request for enrolment of CCA’s Certificate in the firefox browser.
It sounds like I should go ahead with processing this request, assuming that it will be OK for the NICCA to be a trust anchor in Mozilla.

CA Hierarchy:
I am not quite clear on the CA-hierarchy below the NICCA. I saw that the NICCA signs a sub-CA for e-passport, but I’m not sure what that is. Does the NICCA sign end-entity certificates directly?  Are there separate sub-CAs for each verification level/class? It looks like the main use of NICCA is to sign sub-CAs for other organizations for their own internal use within the domain for which the sub-CA was created.  My understanding is that all of the sub-CAs under the NICCA are operated by NICCA, and not by any other third party.


Section 7 of http://www.mozilla.org/projects/security/certs/policy/

The Policy Overview section in the CPS describes how the identity of the certificate subscriber is verified depending on the class/assurance level. 
Class 1 Verification Process: Simply Checks for the certainty of the details given in the DSC Request Form as authenticated by Head of Office
Class 2 Verification Process: Checks for the certainty of the details given in the DSC Request Form as authenticated by Head of Applicant’s Organisation, which is further authenticated by HOD/SIO/DIO/ NICCoordinator. Applicant’s Organisation utilizes various procedures to obtain evidence in respect of identity of the applicants by way of documentary evidence of one of the items under point no 8 (Identification details), resulting in stronger assurance level.
Class 3 Verification Process: In addition to the verification process required for the class II certificates, the subscriber’s of class III certificates are required to be personally present with some proof of identity at NICCA/RA, for issuance of DSC.

Email 
For section 7a of the Mozilla CA Policy there also needs to be procedures for verifying that the email address that is to be referenced in the certificate is owned/controlled by the subscriber. I could not find the text in the CPS or DSC Request Form that explains the steps taken to verify that the certificate subscriber owns/controls the email address to be referenced in the certificate.

Domain (SSL)
For section 7b of the Mozilla CA Policy there also needs to be procedures for SSL certs in which it is verified that the domain to be referenced in the certificate is owned/controlled by the certificate subscriber. I could not find any text in the CPS or DSC Request Form that explains the steps taken to verify that the certificate subscriber owns/controls the domain name to be referenced in the certificate.


Potentially Problematic Practices: http://wiki.mozilla.org/CA:Problematic_Practices
Please review the list of potentially problematic practices and identify which ones may be applicable. For those, please provide further information.

Audit
I believe that the auditor requirements documented in the CPS also meet the requirements of the Mozilla CA Policy.
What is the frequency of the audits?
I understand that the audit report itself is not publicly available.
Would it be possible to get a statement from the auditor saying when the last audit was performed and stating that the audit included all of the criteria for WebTrust CA?
1. CA hierarchy

NICCA has only one Sub-CA which is e-passport. Sub-CAs are allowed to be created for different organizations and agencies, for ease of operations and management. However, Sub-CAs are created purely in a technical context, to be part of the NICCA’s technical infrastructure. The keys created for Sub-CA are located only on NICCA’s technical infrastructure. Agencies for whom the Sub-CAs are created, have to be reflected in the corresponding certificate as ‘‘NICCA – Sub-CA for <name of agency for whom Sub-CA has been set up>’’. The public key of the Sub-CA key pair shall be certified by NICCA’s key, which is in turn certified by CCA. The certificate issuing authority for the Sub-CA shall remain only with NICCA.

There are no separate Sub-CAs for individual verification level/class. NICCA issues certificates directly to the users and user systems.

2. E-mail

E-mail verification is done by the way of sending the user-id/password to the end-user to enable the submission of the Certificate Signing Request to NICCA system. This ensures that the person who has requested for the certificate, also has the control over the e-mail mentioned in the request form.

3. Domain (SSL)

The current version of the CPS which is displayed on the website is NICCA CPS ver 4.3. Depending on the requirement, the CPS is revised from time to time and the next NICCA CPS ver 4.4 is due to be published shortly. Domain name verification procedure has been elaborated and clarity to certain other sections/sub-sections of the CPS have been incorporated in the NICCA CPS ver 4.4. However, there is an elaborate procedure for obtaining both internal and external approvals for authorizing the changes in the CPS of CA. The final approved version is expected to be available in about a week’s time and the same shall be put up on the NICCA website.


4. Audit
The audit of NICCA is conducted annually by CCA accredited external auditor. An internal audit is also required to be done every six months. The audit report is not publicly available but a statement from the auditor stating when the last audit was performed and that the audit included all of the criteria for WebTrust CA, can be obtained at short notice, depending upon requirement.

It has been stated in comment No.9 that The CCA issues license to a Certifying Authority only after overseeing and ensuring the compliance of the “Technical Requirements” and  “Operating Standards” under the IT Act 2000, by the participating CA. These standards are at par with the existing international practices and a comparison between the audit program requirements of CCA and WebTrust shows a clear equivalence.
1. CA hierarchy

> NICCA has only one Sub-CA which is e-passport. Sub-CAs are allowed to be
> created for different organizations and agencies, for ease of operations and
> management. 

Would you please provide a CA Hierarchy diagram showing both the current sub-CA and (in general terms) the possible future sub-CAs? This would probably answer my questions most efficiently. Eg: Will NICCA always have only one sub-CA? What does the e-passport sub-CA sign?  Which CA signs end-entity certs?

The SSL cert for the website https://nicca.nic.in looks to be signed directly by the NICCA. So does the NICCA sign end-entity certs directly? 

> However, Sub-CAs are created purely in a technical context, to be
> part of the NICCA’s technical infrastructure. The keys created for Sub-CA are
> located only on NICCA’s technical infrastructure. Agencies for whom the 
> Sub-CAs are created, have to be reflected in the corresponding certificate 
> as ‘‘NICCA – Sub-CA for <name of agency for whom Sub-CA has been set up>’’. 
> The public key of the Sub-CA key pair shall be certified by NICCA’s key, 
> which is in turn certified by CCA. 

So, is the way that the sub-CAs are handled for the NICCA different from typical CA hierarchies?

Also, I have to raise the question again about which CA should be the trust anchor in Mozilla. Should it be the CCA or the NICCA?

> The certificate issuing authority for the Sub-CA shall remain
> only with NICCA.

So when sub-CAs are created for other organizations, the NIC will still do the verification and issuance for the end-entity certs that those sub-CAs sign. Did I understand correctly?

> There are no separate Sub-CAs for individual verification level/class. 

So the class (verification level) of an end-entity cert is determined solely by the Policy OID within the cert?

> NICCA issues certificates directly to the users and user systems.

Again, I think a diagram will be very useful, because I’m confused about the purpose of the e-passport sub-CA, and which CA(s) actually sign end-entity certs.


2. E-mail

> E-mail verification is done by the way of sending the user-id/password to the
> end-user to enable the submission of the Certificate Signing Request to NICCA
> system. This ensures that the person who has requested for the certificate,
> also has the control over the e-mail mentioned in the request form.

Is it done this way for all class/verification levels?  Is this procedure documented in a publicly available and audited document?

3. Domain (SSL)

> The current version of the CPS which is displayed on the website is NICCA CPS
> ver 4.3. Depending on the requirement, the CPS is revised from time to time and
> the next NICCA CPS ver 4.4 is due to be published shortly. Domain name
> verification procedure has been elaborated and clarity to certain other
> sections/sub-sections of the CPS have been incorporated in the NICCA CPS ver
> 4.4. However, there is an elaborate procedure for obtaining both internal and
> external approvals for authorizing the changes in the CPS of CA. The final
> approved version is expected to be available in about a week’s time and the
> same shall be put up on the NICCA website.

My interpretation of the current CPS is that all three of the class/verification levels can be used for issuing SSL certs. Is this correct?

Will the documented procedures for verifying the domain name be specific to class/verification levels? Or will it be the same regardless of class/verification levels?

4. Audit

> The audit report
> is not publicly available but a statement from the auditor stating when the
> last audit was performed and that the audit included all of the criteria for
> WebTrust CA, can be obtained at short notice, depending upon requirement.

Yes, that would be a great help in showing that the audit meets the requirements of the Mozilla CA Policy.
Attached image NICCA Hierarchy 

    
    

    
  
1. CA hierarchy
   The diagram depicting NICCA hierarchy is attached.

   The SSL cert for the website https://nicca.nic.in looks to be signed  
   directly by the NICCA. So does the NICCA sign end-entity certs directly? –   
   Clarified in the diagram

2. E-mail
   NICCA issues Certificates to the subscribers in the Government, PSUs, 
   Statutory Bodies, and Govt. Registered Companies in India. All details 
   filled by the applicant in the DSC Application form, inclusive of E-mail, 
   are authenticated by the “Head of Office or JS (Admn.) for Government 
   Sector/Superior Authority for Banking Sector of Applicant/ Company Secretary 
   of Govt. Registered Companies, ” before being formally submitted to NICCA 
   for processing. This is given in the “Verification Process” in CPS. The 
   procedure  mentioned in Comment #11 for verification of Emails is documented 
   and internal to NICCA and additionally ensures that the person who has 
   requested for the certificate, also has the control over the e-mail 
   mentioned in the request form.

3. Domain (SSL)
   My interpretation of the current CPS is that all three of the
   class/verification levels can be used for issuing SSL serts. Is        
   this correct? – Yes

   Will the documented procedures for verifying the domain name be  specific to 
   class/verification levels? Or will it be the same  regardless of   
   class/verification levels? – 

   The verification procedure will be specific to class-verification levels and 
   is elaborated in the NICCA CPS ver-4.4, which is expected to be available in 
   about a week’s time.

4. Audit

   We will submit the statement from auditor as soon as the above issues are 
   resolved.

    
    

    
  
Thank you for the updates, I have incorporated them into my local copy of the information gathering document, which I will publish when it is completed -- after the rest of the information has been provided and reviewed: version 4.4 of the CPS and the auditor’s statement.

    
    

    
  
The updated NICCA CPS ver 4.4 is now available at the NICCA website (https: nicca.nic.in) . In this revised edition, Domain name verification procedure has been elaborated. Besides this, clarity to certain sections/sub-sections of the CPS have also been incorporated.

    
    

    
  
Thanks. It looks like the only remaining item is the auditor's statement.

    
    

    
  


  

    
    

    
  
Thank you for providing the auditor’s statement.

The statement is signed by Debopriyo Kar, Head of Information Security Practice of CyberQ Consulting Pvt. Ltd.

The email listed in the auditor’s statement is cyberq@cyberqindia.com.

CyberQ is an accredited auditor as per the India Controller of Certifying Authorities (CCA), http://cca.gov.in/rw/pages/auditors.en.do

When audit reports or statements are provided by the company requesting CA inclusion rather than having an audit report posted on a website such as cert.webtrust.org, the Mozilla process requires doing an independent verification of the authenticity of the audit reports or statements that have been provided.

Is there a direct email address for Mr. Debopriyo Kar at cyberqindia.com?  Or shall I use the cyberq@cyberqindia.com email address.

    
    

    
  


  

    
    

    
  
I have received email from the CCA, stating their intent to apply for inclusion of the CCA root certificate in Mozilla.

Since the NICCA root (the inclusion request in this bug) is signed by the CCA root, I believe that we should proceed with processing the CCA root as the trust anchor.  That would mean that this NICCA root would not be included separately within Mozilla products.

When I process the CCA request, we will have to review all of the sub-CAs, so the information that has been provided in this bug will be used.

    
    

    
  
Before taking any decision to exclude NICCA’s root certificate from the Mozilla Firefox browser, we need to understand the PKI regime that is followed in India, as mentioned in Comment #9 of this bug, wherein it is explained how NICCA is not an intermediate CA or Sub-CA, in the true sense.  

While the requirement of such a root certificate program to include only the Root Certificate as the trust anchor and exclude all other so called intermediate CAs is understandable in a heterogeneous PKI environment, a similar Root Certificate program may not be desirable or relevant, in a country like India,  which has a well established hierarchical PKI regime, with CCA as the apex regulatory body, overseeing and ensuring the compliance of the “Technical Requirements” and  “Operating Standards” under the IT Act 2000, by the CAs under it’s domain. 

It has been pointed out earlier in Comment#7 and Comment#8 that it is technically feasible to include any CA certificate (whether root or not) as trust anchor in Firefox. It is reiterated once again that the Controller of Certifying Authorities (CCA) is the government licensing body and does not issue certificates to any end user. Let it be known and understood that inclusion of only the CCA’s certificate will not benefit even a single end user, when it comes to verification of certificates, thereby defeating the very purpose of inclusion of Root Certificates in Mozilla Firefox.

Similar efforts are also being made with regard to other popular browsers where inclusion of both CCA and NICCA certificates in the same browser is underway. It may please be noted that inclusion of the Root Certificate of only CCA or only NICCA (or  any of the other 7 CAs under CCA’s hierarchy for that matter), will not help the end user for verification of the certificate trust chain in the Indian PKI regime.

In view of above, we therefore urge you to kindly reconsider the matter and include  NICCA’s Certificate in the Mozilla Firefox browser.

    
    

    
  
In accordance with Mozilla's policy, Mozilla should add and trust either 
a) the CCA root but not the NICCA intermediate, or 
b) the NICCA cert (trusted as if it was a root) and not the CCA root.

Assuming that the NIC CA meets all of Mozilla's qualifications, then IMO, the 
decision should be based on whether the CCA's policies suffice to ensure that 
all the subordinate CAs whose certs it issues also meet Mozilla's 
qualifications or not.  

Comment 24 above suggests that the writer believes that distribution of 
intermediate CA certificates with the browser is the only way for them to 
be distributed.  But in fact it is not the normal or expected way for 
intermediate CA certificates to be distributed.  Intermediate CA certificates are expected to be distributed to the certificate subjects (the holders of 
the private keys) together with the subjects' own certificates.  Those subject parties (e.g. SSL servers) are then expected to send out the intermediate CA certificates together with their own certificates whenever they are asked to 
send out their certificates.  That is required by SSL/TLS.
Summary: Add NIC Certifying Authority Root Certificate → Add NIC (India) Root CA Certificate

    
  
Whiteboard: On Hold - Pending decision on CCA vs NICCA as trust anchor

    
  
Blocks: 557167

    
    

    
  
CCA submitted a request for inclusion of the root certificate in bug #557167. Upon reviewing the request I found that the hierarchy is very large: https://bugzilla.mozilla.org/show_bug.cgi?id=557167#c15

The approach that we are going to take with this CA hierarchy is as follows.

1) There will be a separate bug for each of the 7 intermediate CAs to be separately evaluated for inclusion as a trust anchor in NSS. 

2) After all 7 of the intermediate CAs have been approved/included, then
I will proceed with the process of evaluating the CCA root certificate for inclusion in NSS.

3) If the CCA root certificate is approved for inclusion in NSS, then the 7
intermediate CAs will be removed from NSS at the same time that the CCA root is
included.
Whiteboard: On Hold - Pending decision on CCA vs NICCA as trust anchor → Information incomplete

    
    

    
  
Prateek, I have reviewed my notes for this request, and I have a few things to follow up on.

1) I have not yet confirmed the authenticity of the audit statement as per comment #21. I will need to do so. Has there been a more recent audit?

2) In regards to verification of domain name ownership/control, the CPS says "For SSL Certificates, appropriate Domain Registry shall be queried for verification of details." 

Based on prior root inclusion requests I know that this will not be sufficient information. We will need more detail about how the information retrieved from the Domain Registry is used to confirm that the domain name is owned/controlled by the subscriber. This information needs to be in a public and audited document, such as the CPS.

3) The CPS talks about RA's. Section 1.4 says: "These RAs have complete charge of the authentication and validation of each Subscriber within the organization."

Does it mean that RAs can only issue certificates for internal use within their organization?

What controls and auditing are in place to ensure that the RAs are following appropriate procedures?

    
    

    
  
1) I have not yet confirmed the authenticity of the audit statement as per comment #21. I will need to do so. Has there been a more recent audit?

>Yes, conducted from 5th Feb to 22nd Feb, 2010


2) With regard to verification of domain name ownership/control, the CPS says "For SSL Certificates, appropriate Domain Registry shall be queried for verification of details." 

Based on prior root inclusion requests I know that this will not be sufficient information. We will need more detail about how the information retrieved from the Domain Registry is used to confirm that the domain name is owned/controlled by the subscriber. This information needs to be in a public and audited document, such as the CPS.

>The procedure for retrieval of information from Domain registry and its usage >for verification of Domain name owned/controlled by the subscriber is >contained in an Audited document. NICCA adheres to the same for confirmation >of Domain names, wherever applicable.

3) The CPS talks about RA's. Section 1.4 says: "These RAs have complete charge of the authentication and validation of each Subscriber within the organization."

Does it mean that RAs can only issue certificates for internal use within their organization?

>This particular statement is for RAs working for a particular organisation. >It is one of the types of RA, functioning under NICCA, as is evident from the >complete text of Section 1.4 of the CPS.

4)What controls and auditing are in place to ensure that the RAs are following appropriate procedures?

>Proper third party audits of RAs, by CCA accredited Auditors are conducted as >per CCA guidelines.

    
    

    
  
> New Audit -- Yes, conducted from 5th Feb to 22nd Feb, 2010

That's great. Please have the auditor create a new statement to summarize the criteria and findings of the new audit, similar to the previous one:
https://bug511380.bugzilla.mozilla.org/attachment.cgi?id=405987
in order to meet the requirements of sections 8, 9, and 10 of the Mozilla CA Certificate Policy (http://www.mozilla.org/projects/security/certs/policy/)

It would be good if the new statement could also summarize which certificates were included in the audit; e.g. that the audit was in regards to operations of the "NIC Certifying Authority" sub-CA, and also list it's sub-CAs that were included in the audit.


>The procedure for retrieval of information from Domain registry and its usage
>for verification of Domain name owned/controlled by the subscriber is
>contained in an Audited document. NICCA adheres to the same for confirmation
>of Domain names, wherever applicable.

Please provide the url and section number where I can find this text that describes the main steps that are taken to verify that the certificate subscriber owns/controls the domain name to be included in the certificate.

https://wiki.mozilla.org/CA:Recommended_Practices#Verifying_Domain_Name_Ownership


> RAs -- Proper third party audits of RAs, by CCA accredited Auditors 
> are conducted as per CCA guidelines.

Good. Is that part of the audit that was conducted from 5th Feb to 22nd Feb, 2010? If so, can the auditor also make a statement that the RA practices have also been audited?

    
    

    
  
1) Please have the auditor create a new statement to summarize the criteria and findings of the new audit, similar to the previous one:
https://bug511380.bugzilla.mozilla.org/attachment.cgi?id=405987
in order to meet the requirements of sections 8, 9, and 10 of the Mozilla CA Certificate Policy.

> The last Annual Audit of NICCA was conducted from 5th Feb to 22nd Feb, 2010. Scanned copy of the latest Audit Equivalency Certificate from CCA accredited third party auditor - M/s CyberQ Consultants Pvt. Ltd. is uploaded for your ready referencel.

2) It would be good if the new statement could also summarize which certificates were included in the audit; e.g. that the audit was in regards to operations of the "NIC Certifying Authority" sub-CA, and also list it's sub-CAs that were included in the audit.

> Included in the statement of the latest Audit Equivalency Certificate.

3) Please provide the url and section number where I can find this text that describes the main steps that are taken to verify that the certificate subscriber owns/controls the domain name to be included in the certificate. 

> The procedure for retrieval of information from Domain registry and its usage for verification of Domain name owned/controlled by the subscriber is contained in an Audited document under General Section category of NICCA Documentation. NICCA adheres to the same for confirmation of Domain names wherever applicable. The text of this document inter-alia includes the following : 

The SSL Certificate is issued after properly verifying the Domain Name. The applicant is required to send a physical copy of DSC Application form with full details of the Custodian of the Server, Department to which the server belongs, Ministry, Official address and Contact Number etc. In the Application form, the Server related details viz. IP Address, URL/Domain name and Physical Location of the Server etc. are also furnished. Before issuing SSL certificate, NICCA ensures the correctness of the furnished information by making NSLOOKUP query /  WHOIS Lookup query as applicable, and in case of any doubt, communicating with the  applicant and resolving the matter over phone, email or personal interaction.


4) Good. Is that part of the audit that was conducted from 5th Feb to 22nd Feb, 2010? If so, can the auditor also make a statement that the RA practices have also been audited?

> Included in the statement of the latest Audit Equivalency Certificate. As per CCA guidelines, RAs are audited along with the Annual CA audit on a sample basis with the stipulation that any new RA has to be compulsorily audited.

    
    

    
  
As per Mozilla practice, I have sent email to the auditor to confirm the authenticity of the audit statement that has been attached to this bug.

> The procedure for retrieval of information from Domain registry and its usage 
> for verification of Domain name owned/controlled by the subscriber is 
> contained in an Audited document under General Section category of NICCA 
> Documentation. NICCA adheres to the same for confirmation of Domain names 
> wherever applicable. The text of this document inter-alia includes the 
> following

Please provide the url to this particular document.

    
    

    
  
I have exchanged email with a representative of CyberQ Consulting Pvt. Ltd., who has confirmed the authenticity of the Audit Equivalency Certificate that was attached in Comment #30.

    
  
Whiteboard: Information incomplete → Information confirmed complete

    
    

    
  
This request is near the top of the queue for public discussion:
https://wiki.mozilla.org/CA:Schedule#Queue_for_Public_Discussion

I will post a comment in this bug when I begin the discussion.

    
    

    
  
I am now opening the first public discussion period for this request from National Informatics Centre (NIC) to add the “NIC Certifying Authority” root certificate and enable all three trust bits.

For a description of the public discussion phase, see https://wiki.mozilla.org/CA:How_to_apply#Public_discussion

Public discussion will be in the mozilla.dev.security.policy newsgroup and the corresponding dev-security-policy@lists.mozilla.org mailing list.

http://www.mozilla.org/community/developer-forums.html
https://lists.mozilla.org/listinfo/dev-security-policy
news://news.mozilla.org/mozilla.dev.security.policy

The discussion thread is called “NIC Root Inclusion Request”

Please actively review, respond, and contribute to the discussion.

A representative of NIC must promptly respond directly in the discussion thread to all questions that are posted.
Whiteboard: Information confirmed complete → In public discussion

    
    

    
  
> A representative of NIC must promptly respond directly in the discussion 
> thread to all questions that are posted.

Two questions have been posted for a few days now. A representative of this CA must post a response to the questions in the discussion ASAP.

    
    

    
  
The first round of discussion about this request from National Informatics Centre (NIC) to add the “NIC Certifying Authority” root certificate and enable all three trust bits has been closed.

The discussion resulted in action items for NIC to update their CPS as follows.

1) Add text to Section 3.1.6, Authentication of Organization Identity, to describe the minimum steps that the RA must take to perform this authentication. If this information is already provided in another document (e.g. from CCA), then please directly reference that information in this section, so that it is clear the steps that must be followed.

2) Add text to describe the minimum steps that must be taken to verify that the certificate subscriber owns/controls the domain name to be included in the certificate. When the domain name is already registered with NIC, how does the RA use the information from the NIC database to confirm that the information provided by the subscriber is accurate and that the subscriber owns/controls that domain name? When whois is used, what information is used from whois, and how is that information used to confirm that the subscriber owns/controls that domain name?

3) Add text to section 6.1.2 in regards to “NICCA itself does not generate Private Key for the end users. We send crypto device having no keys on it, which carries users personal information printed on it. End users generate their own keys at their place. In case user find some problem, they can visit NICCA office for generating their key pairs. … End users with the help of web interface logins to NICCA site and generate key pairs on the crypto device at their place.”

4) Update section 4.4.1 to be more in line with the Mozilla CA Certificate Policy in regards to revocation. According to section 2 of http://www.mozilla.org/projects/security/certs/policy/MaintenancePolicy.html
there are certain circumstances where the CA must revoke a certificate. The CPS language should reflect that the CA is required to revoke in the listed circumstances (rather than at the CA's discretion).

Please add a comment to this bug when the CPS has been updated. Then I will confirm the completion of these action items, and start a second round of discussion in mozilla.dev.security.policy.

Thanks,
Kathleen
Whiteboard: In public discussion → Public Discussion Action Items - Update CPS

    
    

    
  
NICCA has published CPS Addendum dated 10 Jan 2013 under repository Certficate Practice Statement as shown below.

"CPS Addendum dated 10 Jan 2013 for enrolling Root Certificate under MOZILLA [.pdf]" 


Manoj Kumar Kulshreshth
Chief Operations Manager, NICCA

    
    

    
  
I apologize for the delay in my response. My work on root inclusion requests was postponed for a while.

I will have to review and update my notes on this request. I have added this to my to-do list.

In the meantime, please respond to the recent CA Communication.
https://wiki.mozilla.org/CA:Communications#January_10.2C_2013

    
    

    
  


  
Attached are my current notes on this request. The items highlighted in yellow indicate where further information or clarification is needed.

Please also add a comment to this bug to indicate NIC CA's response to the recent CA Communication: https://wiki.mozilla.org/CA:Communications#January_10.2C_2013

    
    

    
  
In light of the recent misissued certificates issued by this organization (http://googleonlinesecurity.blogspot.com/2014/07/maintaining-digital-certificate-security.html) it should be clear that this request must be rejected and this organization permanently barred from root inclusion.

    
    

    
  
From the inactivity here, it seems like NIC India are not currently interested in pursuing this application. But if it is revived, then the incident you note, and NIC India's reactions to it and the level of transparency they display in the days afterwards, will certainly be a topic of conversation.

Gerv

    
    

    
  
http://googleonlinesecurity.blogspot.com/2014/07/maintaining-digital-certificate-security.html
"The intermediate CA certificates held by NIC were revoked on July 3"

So I think it's safe to assume that this particular inclusion request may be closed.
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Resolution: --- → WONTFIX

    
  
Product: mozilla.org → NSS

    
    

    
  
Can the process of adding the Indian CA be reinitiated and the Indian CA be part of the Trust Root?


In India as per the Legislation, only Indian CA is valid and they do not recognize Foreign CA.


Product: NSS → CA Program

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: