(In reply to Ramachandran from comment #1)
The Root Certifying Authority of India (RCAI) established by the Controller of Certifying Authorities serves as the trust anchor for electronic authentication through Electronic Signatures in the country. Under the provisions of the IT Act, the Controller licenses the Certifying Authorities and also ensures that none of the provisions of the Act are violated. CCA function as Root CA to issue certificates to CAs and also for generating CRLs of CAs periodically. Licenced CAs issues certificates to end users.
As you know, the previous root inclusion request from CCA India (Bug #557167) was closed because CCA India is a super-CA as described here:
"Super-CAs: Some CAs sign the certificates of subordinate CAs to show that they have been accredited or licensed by the signing CA. Such signing CAs are called Super-CAs, and their (first-level) subordinate CAs must apply for inclusion of their own certificates until the following has been established and demonstrated..."
Having each first-level subordinate CA apply directly for inclusion in Mozilla's program as a trust anchor does not prevent them from also being signed by CCA India SPL.
The benefit to Mozilla of having each first-level subordinate CA apply directly for inclusion and treated as a separate trust anchor is that Mozilla can directly review the practices, policies, and audit statements for each pre-inclusion, and then on an annual bases afterwards. (https://www.ccadb.org/cas/updates)
Once all of the first-level subordinate CAs have successfully been included in Mozilla's program and successfully maintained inclusion status then CCA India could apply for inclusion of the CCA India SPL root certificate.
The following are the highlights of the India PKI hierarchy
- In India PKI hierarchy, have two separate trust chains one for one end-entity certificates and one for SSL .There are ten Licenced CAs which are operated in the different parts of the country. The types of certificates issuance by CAs are given at http://cca.gov.in/CAServicesOverview.html
Does that mean that there is a separate CCA India SPL root certificate for SSL? Or do the trust chains have the same root certificate?
- The CA systems for issuance of SSL certificates under trust chain (CCA India SPL), are operated in Offline mode at Root CA and Sub-CA level.
All Sub-CAs licenced by Root CA is operated under single India PKI Policy. There is no separate policy for any of the Sub-CAs licensed by Root CA. India PKI policy is published at http://cca.gov.in/sites/files/pdf/guidelines/CCA-CP.pdf
That is useful, as long as the policy fully complies with the CA/Browser Forum Baseline Requirements and Mozilla's Root Store Policy.
- The verification requirements prior to issuance end-entity certificates or SSL certificates are governed by Identity Verification Guidelines specified by Root CA. Sub-CAs are required to adhere to these Guidelines for issuance of any certificate.
Where does the India PKI Policy state that every subordinate CA in the hierarchy must follow the Identity Verification Guidelines?
It is not clear to me that the Identity Verification Guidelines meet the requirements of section 18.104.22.168 of the CA/Browser Forum Baseline Requirements.
It is also not clear to me that the Identity Verification Guidelines meet Mozilla's requirements:
- The certificate policy for India PKI covers the policy Id given to each class of certificates which are common across all CA and adhere to India PKI CP. The policy Ids are published at
Do those Policy OIDs bind CAs to the India PKI Policy and the Identity Verification Guidelines?
- To facilitate interoperability, Root CA has specified "DSC interoperability Guidelines for issuance certificates under the Root Chain. A detailed specification for end entity and SSL certificates are covered under DSC interoperability Guidelines specified by Root CA and the same is followed by each sub-CA. DSC Interoperability, SSL, OCSP and Signature profiles can be seen on the following links, which are to be adhered by all the sub-CAs.
Cert profile: http://cca.gov.in/sites/files/pdf/guidelines/CCA-IOG.pdf
Apart from the requirements for issuance of certificates under IT Act, additional CAB requirements are also included in the above guidelines.
CA-SSL.pdf: "Office of CCA will issue necessary guidelines to conform the latest Baseline requirements of CA Browser forum time to time. The CA shall update the CPS and implement the guidelines immediately."
It is not clear to me if that meets Mozilla's requirements that CAs must review the Baseline Requirements and update their CP/CPS documents at least annually.
Under the provisions of IT Act Controller to license the Certifying Authorities and also to ensure that none of the provisions of the Act are violated. Audits are carried out to ensure the adherence to Information Technology Act 2000, the rules and regulations thereunder, and guidelines issued by the Controller from time-to-time. Auditing of the physical and technical infrastructure of CA is carried out through a panel of auditors maintained by the CCA. The audit reports are submitted to Root CA directly by auditors. The criteria for the audit include WebTrust and CAB requirements. The audit criteria specified by Root CA. is available at Audit Criteria:
The Audit Criteria was prepared by PWC and their statement is attached for your reference.
The lists of empanelled auditors are available at
Is there something preventing these auditors from also providing audit statements that the WebTrust CA and WebTrust BR criteria have been used in the verification process, and providing WebTrust seals for such audit statements?
- It is optional for CA to maintain SPL Trust Chain. However , if they wish to issue SSL, Code signing certificates etc under CCA India 2015 SPL Trust Chain, they have to have a offline , isolated certificate issuance system and also should follow the guidelines issued by CCA. At present only three CAs are issuing SSL certificates. Ref http://cca.gov.in/display_cert2015.php
Please add the subordinate CA certificates to the CCADB, as described here:
- In order to establish a single national policy, Root CA has already laid down common CPS template for sub-CAs. Each CA will have their own CPS and have provided links to policy, procedure, guidelines of Root CA. The CPS are available in the disclosure records of each CA published http://cca.gov.in/licensed_ca.html
Note that the Baseline Requirements say that CP/CPS documents must be structured according to RFC 3647.
- The root certificates(CCA India 2014 and CCA India 2015 SPL) are included in the Microsoft products and the details are updated on Common CA Database maintained at http://ccadb.org/cas/
Yes, I see that.
In summary, though there are 10 sub-CAs licensed by Root CA, all of them are operating under same policy, standards, and verification methods, subjected to be audited by the criteria set by Root CA. The policy ids of certificates are also common to all the Sub-CAs which issue same assurance level certificates.
For each root certificate in Mozilla's program that has the Websites (TLS/SSL) trust bit enabled, all of the CA hierarchy must be audited according to the Baseline Requirements, with the exception of subordinate CA certificates that are technically-constrained as described in section 7.1.5 of the CA/Browser Forum Baseline Requirements.