1565871 - Add CCA ROOT CA India

Status: ASSIGNED

(CA Program :: CA Certificate Root Program, task, P5)

Description

[Ramachandran]

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36

Steps to reproduce:

Root CA of India License and certify the public keys of SubCAs.

Actual results:

At present the CA certificate is not in Mozilla store

Expected results:

inclusion of Root certificate in Mozilla store

Comment 1

[Ramachandran]

The Root Certifying Authority of India (RCAI) established by the Controller of Certifying Authorities serves as the trust anchor for electronic authentication through Electronic Signatures in the country. Under the provisions of the IT Act, the Controller licenses the Certifying Authorities and also ensures that none of the provisions of the Act are violated. CCA function as Root CA to issue certificates to CAs and also for generating CRLs of CAs periodically. Licenced CAs issues certificates to end users.

The following are the highlights of the India PKI hierarchy

1. In India PKI hierarchy, have two separate trust chains one for one end-entity certificates and one for SSL .There are ten Licenced CAs which are operated in the different parts of the country. The types of certificates issuance by CAs are given at http://cca.gov.in/CAServicesOverview.html
2. The CA systems for issuance of SSL certificates under trust chain (CCA India SPL), are operated in Offline mode at Root CA and Sub-CA level.
   All Sub-CAs licenced by Root CA is operated under single India PKI Policy. There is no separate policy for any of the Sub-CAs licensed by Root CA. India PKI policy is published at http://cca.gov.in/sites/files/pdf/guidelines/CCA-CP.pdf
3. The verification requirements prior to issuance end-entity certificates or SSL certificates are governed by Identity Verification Guidelines specified by Root CA. Sub-CAs are required to adhere to these Guidelines for issuance of any certificate.
   ref http://cca.gov.in/sites/files/pdf/guidelines/CCA-IVG.pdf
4. The certificate policy for India PKI covers the policy Id given to each class of certificates which are common across all CA and adhere to India PKI CP. The policy Ids are published at
   ]ref http://cca.gov.in/sites/files/pdf/guidelines/CCA-OID.pdf
5. To facilitate interoperability, Root CA has specified "DSC interoperability Guidelines for issuance certificates under the Root Chain. A detailed specification for end entity and SSL certificates are covered under DSC interoperability Guidelines specified by Root CA and the same is followed by each sub-CA. DSC Interoperability, SSL, OCSP and Signature profiles can be seen on the following links, which are to be adhered by all the sub-CAs.
   Cert profile: http://cca.gov.in/sites/files/pdf/guidelines/CCA-IOG.pdf
   OCSP: http://cca.gov.in/sites/files/pdf/guidelines/CCA-OCSP.pdf
   SSL http://cca.gov.in/sites/files/pdf/guidelines/CCA-SSL.pdf
   Signature: http://cca.gov.in/sites/files/pdf/guidelines/CCA-SP.pdf
   Apart from the requirements for issuance of certificates under IT Act, additional CAB requirements are also included in the above guidelines.
6. Under the provisions of IT Act Controller to license the Certifying Authorities and also to ensure that none of the provisions of the Act are violated. Audits are carried out to ensure the adherence to Information Technology Act 2000, the rules and regulations thereunder, and guidelines issued by the Controller from time-to-time. Auditing of the physical and technical infrastructure of CA is carried out through a panel of auditors maintained by the CCA. The audit reports are submitted to Root CA directly by auditors. The criteria for the audit include WebTrust and CAB requirements. The audit criteria specified by Root CA. is available at Audit Criteria:
   http://cca.gov.in/sites/files/pdf/guidelines/CCA-CAAC.pdf
   The Audit Criteria was prepared by PWC and their statement is attached for your reference.
   The lists of empanelled auditors are available at
   http://cca.gov.in/list_emplaned_auditors.html
7. It is optional for CA to maintain SPL Trust Chain. However , if they wish to issue SSL, Code signing certificates etc under CCA India 2015 SPL Trust Chain, they have to have a offline , isolated certificate issuance system and also should follow the guidelines issued by CCA. At present only three CAs are issuing SSL certificates. Ref http://cca.gov.in/display_cert2015.php
8. In order to establish a single national policy, Root CA has already laid down common CPS template for sub-CAs. Each CA will have their own CPS and have provided links to policy, procedure, guidelines of Root CA. The CPS are available in the disclosure records of each CA published http://cca.gov.in/licensed_ca.html
9. The root certificates(CCA India 2014 and CCA India 2015 SPL) are included in the Microsoft products and the details are updated on Common CA Database maintained at http://ccadb.org/cas/

In summary, though there are 10 sub-CAs licensed by Root CA, all of them are operating under same policy, standards, and verification methods, subjected to be audited by the criteria set by Root CA. The policy ids of certificates are also common to all the Sub-CAs which issue same assurance level certificates.

Comment 2

[Kathleen Wilson]

(In reply to Ramachandran from comment #1)

The Root Certifying Authority of India (RCAI) established by the Controller of Certifying Authorities serves as the trust anchor for electronic authentication through Electronic Signatures in the country. Under the provisions of the IT Act, the Controller licenses the Certifying Authorities and also ensures that none of the provisions of the Act are violated. CCA function as Root CA to issue certificates to CAs and also for generating CRLs of CAs periodically. Licenced CAs issues certificates to end users.

As you know, the previous root inclusion request from CCA India (Bug #557167) was closed because CCA India is a super-CA as described here:

https://wiki.mozilla.org/CA/Subordinate_CA_Checklist#Super-CAs

"Super-CAs: Some CAs sign the certificates of subordinate CAs to show that they have been accredited or licensed by the signing CA. Such signing CAs are called Super-CAs, and their (first-level) subordinate CAs must apply for inclusion of their own certificates until the following has been established and demonstrated..."

Having each first-level subordinate CA apply directly for inclusion in Mozilla's program as a trust anchor does not prevent them from also being signed by CCA India SPL.

The benefit to Mozilla of having each first-level subordinate CA apply directly for inclusion and treated as a separate trust anchor is that Mozilla can directly review the practices, policies, and audit statements for each pre-inclusion, and then on an annual bases afterwards. (https://www.ccadb.org/cas/updates)

Once all of the first-level subordinate CAs have successfully been included in Mozilla's program and successfully maintained inclusion status then CCA India could apply for inclusion of the CCA India SPL root certificate.

The following are the highlights of the India PKI hierarchy

1. In India PKI hierarchy, have two separate trust chains one for one end-entity certificates and one for SSL .There are ten Licenced CAs which are operated in the different parts of the country. The types of certificates issuance by CAs are given at http://cca.gov.in/CAServicesOverview.html

Does that mean that there is a separate CCA India SPL root certificate for SSL? Or do the trust chains have the same root certificate?

2. The CA systems for issuance of SSL certificates under trust chain (CCA India SPL), are operated in Offline mode at Root CA and Sub-CA level.
   All Sub-CAs licenced by Root CA is operated under single India PKI Policy. There is no separate policy for any of the Sub-CAs licensed by Root CA. India PKI policy is published at http://cca.gov.in/sites/files/pdf/guidelines/CCA-CP.pdf

That is useful, as long as the policy fully complies with the CA/Browser Forum Baseline Requirements and Mozilla's Root Store Policy.

3. The verification requirements prior to issuance end-entity certificates or SSL certificates are governed by Identity Verification Guidelines specified by Root CA. Sub-CAs are required to adhere to these Guidelines for issuance of any certificate.
   ref http://cca.gov.in/sites/files/pdf/guidelines/CCA-IVG.pdf

Where does the India PKI Policy state that every subordinate CA in the hierarchy must follow the Identity Verification Guidelines?

It is not clear to me that the Identity Verification Guidelines meet the requirements of section 3.2.2.4 of the CA/Browser Forum Baseline Requirements.

It is also not clear to me that the Identity Verification Guidelines meet Mozilla's requirements:
https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#Verifying_Domain_Name_Ownership

4. The certificate policy for India PKI covers the policy Id given to each class of certificates which are common across all CA and adhere to India PKI CP. The policy Ids are published at
   ]ref http://cca.gov.in/sites/files/pdf/guidelines/CCA-OID.pdf

Do those Policy OIDs bind CAs to the India PKI Policy and the Identity Verification Guidelines?

5. To facilitate interoperability, Root CA has specified "DSC interoperability Guidelines for issuance certificates under the Root Chain. A detailed specification for end entity and SSL certificates are covered under DSC interoperability Guidelines specified by Root CA and the same is followed by each sub-CA. DSC Interoperability, SSL, OCSP and Signature profiles can be seen on the following links, which are to be adhered by all the sub-CAs.
   Cert profile: http://cca.gov.in/sites/files/pdf/guidelines/CCA-IOG.pdf
   OCSP: http://cca.gov.in/sites/files/pdf/guidelines/CCA-OCSP.pdf
   SSL http://cca.gov.in/sites/files/pdf/guidelines/CCA-SSL.pdf
   Signature: http://cca.gov.in/sites/files/pdf/guidelines/CCA-SP.pdf
   Apart from the requirements for issuance of certificates under IT Act, additional CAB requirements are also included in the above guidelines.

CA-SSL.pdf: "Office of CCA will issue necessary guidelines to conform the latest Baseline requirements of CA Browser forum time to time. The CA shall update the CPS and implement the guidelines immediately."

It is not clear to me if that meets Mozilla's requirements that CAs must review the Baseline Requirements and update their CP/CPS documents at least annually.
https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#CP.2FCPS_Revision_Table

6. Under the provisions of IT Act Controller to license the Certifying Authorities and also to ensure that none of the provisions of the Act are violated. Audits are carried out to ensure the adherence to Information Technology Act 2000, the rules and regulations thereunder, and guidelines issued by the Controller from time-to-time. Auditing of the physical and technical infrastructure of CA is carried out through a panel of auditors maintained by the CCA. The audit reports are submitted to Root CA directly by auditors. The criteria for the audit include WebTrust and CAB requirements. The  audit  criteria  specified by Root CA. is available at   Audit Criteria:
   

http://cca.gov.in/sites/files/pdf/guidelines/CCA-CAAC.pdf
The Audit Criteria was prepared by PWC and their statement is attached for your reference.
The lists of empanelled auditors are available at
http://cca.gov.in/list_emplaned_auditors.html

Is there something preventing these auditors from also providing audit statements that the WebTrust CA and WebTrust BR criteria have been used in the verification process, and providing WebTrust seals for such audit statements?

7. It is optional for CA to maintain SPL Trust Chain. However , if they wish to issue SSL, Code signing certificates etc under CCA India 2015 SPL Trust Chain, they have to have a offline , isolated certificate issuance system and also should follow the guidelines issued by CCA. At present only three CAs are issuing SSL certificates. Ref http://cca.gov.in/display_cert2015.php

Please add the subordinate CA certificates to the CCADB, as described here:
https://www.ccadb.org/cas/intermediates#adding-intermediate-certificate-data
https://www.ccadb.org/policy#4-intermediate-certificates

8. In order to establish a single national policy, Root CA has already laid down common CPS template for sub-CAs. Each CA will have their own CPS and have provided links to policy, procedure, guidelines of Root CA. The CPS are available in the disclosure records of each CA published http://cca.gov.in/licensed_ca.html

Note that the Baseline Requirements say that CP/CPS documents must be structured according to RFC 3647.
https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#CP.2FCPS_Structured_According_to_RFC_3647

9. The root certificates(CCA India 2014 and CCA India 2015 SPL) are included in the Microsoft products and the details are updated on Common CA Database maintained at http://ccadb.org/cas/

Yes, I see that.

In summary, though there are 10 sub-CAs licensed by Root CA, all of them are operating under same policy, standards, and verification methods, subjected to be audited by the criteria set by Root CA. The policy ids of certificates are also common to all the Sub-CAs which issue same assurance level certificates.

For each root certificate in Mozilla's program that has the Websites (TLS/SSL) trust bit enabled, all of the CA hierarchy must be audited according to the Baseline Requirements, with the exception of subordinate CA certificates that are technically-constrained as described in section 7.1.5 of the CA/Browser Forum Baseline Requirements.

https://www.ccadb.org/policy#5-policies-practices-and-audit-information

https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy#531-technically-constrained

Comment 3

[Ramachandran]

The response to the queries are given below

1. Does that mean that there is a separate CCA India SPL root certificate for SSL? Or do the trust chains have the same root certificate?
   RC: Yes, A separate root certificate for SSL and code signing. ‘CCA India SPL root certificate’ is independent, and at its subCA level there are separate issuing CA certificate for SSL and code signing

2 Where does the India PKI Policy state that every subordinate CA in the hierarchy must follow the Identity Verification Guidelines?
RC: As per IT CA Rules, CA shall issue certificate in accordance with the Identity Verification Guidelines issued by the Controller. Every issuing CA CPS is approved by CCA. These CPS is ensured to define the references to ‘Identity Verification Guidelines’. (Refer section 1.1, 1.3.2 and more importantly section 3.2 mentioning as CCA-IVG).

3. It is also not clear to me that the Identity Verification Guidelines meet Mozilla's requirements: https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#Verifying_Domain_Name_Ownership
   RC. : Verified and modified the Identity Verification Guidelines & SSL Guidelines as per the requirements of Mozilla & CA/Browser Forum Baseline Requirements. (please refer section 4.1 of IVG(http://cca.gov.in/sites/files/pdf/guidelines/CCA-IVG.pdf) and SSL(http://cca.gov.in/sites/files/pdf/guidelines/CCA-SSL.pdf)

4. Do those Policy OIDs bind CAs to the India PKI Policy and the Identity Verification Guidelines?
   RC: Yes, The verification requirements are different for different classes of certificates, and respective OIDs provide the binding with the verification level and Policy.

5. It is not clear to me if that meets Mozilla's requirements that CAs must review the Baseline Requirements and update their CP/CPS documents at least annually.
   RC: The review of CP/CPS will be reviewed at least once in a year. This is mentioned 9.12.1 of CP(http://cca.gov.in/sites/files/pdf/guidelines/CCA-CP.pdf) and CPS(http://cca.gov.in/sites/files/pdf/root-CA/RCAICPS.pdf)

6. Is there something preventing these auditors from also providing audit statements that the WebTrust CA and WebTrust BR criteria have been used in the verification process, and providing WebTrust seals for such audit statements?
   RC: The auditors can provide the audit statements that Audit Criteria(CCA-Audit) have been used in the verification process which includes WebTrust CA and WebTrust BR criteria requirements. With the existing provisions of IT Act, the WebTrust audit and seals for the Licence CAs are beyond the regulatory scope of CCA.

7. Note that the Baseline Requirements say that CP/CPS documents must be structured according to RFC 3647.
   RC: It is structured as per RFC 3647.

Comment 4

[Ramachandran]

The intermediate CA certificates have been added under CCA India 2015 SL in CCADB

Comment 5

[Kathleen Wilson]

(In reply to Ramachandran from comment #3)

6. Is there something preventing these auditors from also providing audit statements that the WebTrust CA and WebTrust BR criteria have been used in the verification process, and providing WebTrust seals for such audit statements?
   RC: The auditors can provide the audit statements that Audit Criteria(CCA-Audit) have been used in the verification process which includes WebTrust CA and WebTrust BR criteria requirements. With the existing provisions of IT Act, the WebTrust audit and seals for the Licence CAs are beyond the regulatory scope of CCA.

Mozilla's Root Store Policy only allows us to accept WebTrust and ETSI audits, and does not permit "equivalent" audits. All CAs in Mozilla's program have either WebTrust audits or ETSI EN 319 411 audits (no CAs in Mozilla's program have "equivalent" audits).

Reference:
https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy#31-audits
https://wiki.mozilla.org/CA/Included_Certificates

Comment 6

[Ramachandran]

Attachment: Audit Criteria Equivalency Statement from PwC

Comment 7

[Ben Wilson]

According to the WebTrust website, https://www.cpacanada.ca/en/business-and-accounting-resources/audit-and-assurance/overview-of-webtrust-services/licensed-webtrust-practitioners-international, the two audit firms that are licensed for WebTrust in India are BDO and Kochar & Associates. PwC isn't licensed for WebTrust in India yet, according that website.

Comment 8

[Ben Wilson]

I intend to close this bug on or about 1-November-2020 unless the applicant moves forward in pursuit of its root inclusion request.

Comment 9

[Ramachandran]

Yes, PwC isn't listed for WebTrust in India. However, they are part of our government empanelment for several projects, and leverage their corresponding global teams for this activity. They have confirmed that PwC is part of licensed practitioner list under CPA Canada in several regions. Hence, we took the consultation of PwC based on their resource expertise in India or elsewhere in the world for Audit criteria preparation.

I prefer to provide an update on Root CA enrollment that we have instructed all our intermediate CAs to independently approach Mozilla for their CA certificate enrollment. After completion of enrollment of intermediate CAs, Root CA case will be taken up.

Comment 10

[Andrew Ayer]

A CA chaining up to the CCA India 2015 SPL root has issued a certificate containing invalid ASN.1:

https://crt.sh/?sha256=229336B2693631A1C1A5577FE0F86A44D9291EECFD6742397836BFC5EBD5429E&opt=zlint