Open Bug 1973341 Opened 1 day ago Updated 21 hours ago

eMudhra emSign PKI Services :Policy Document Inconsistency

Categories

(CA Program :: CA Certificate Compliance, task)

Product:
CA Program
Component:
CA Certificate Compliance
Type:
task

Tracking

(Not tracked)

Status:
ASSIGNED

People

(Reporter: naveen.ml, Assigned: naveen.ml)

Details

(Whiteboard: [ca-compliance] [uncategorized])

Preliminary Incident Report

Summary

  • Incident description:
    A publicly trusted TLS certificate was issued for CN=msmeranchi.nic.in with an RSA key size of 4048 bits, based on a CSR submitted by the subscriber. The RSA key pair was generated by the customer and met the CA/Browser Forum Baseline Requirements, which require a minimum RSA key size of 2048 bits.
    Both our CP/CPS v1.14 (valid at the time of issuance) and the current CP/CPS v1.19 only reference "RSA 2048" under the certificate profile for end-entity certificates, and this may be interpreted as a specific requirement for only that key size. This perspective would be reinforced when in same CP/CPS we explicitly list RSA key sizes of 2048 or 4096 bits for Root and Subordinate CA certificates. The absence of specific key lengths above 2048 in the documentation for end entities led to an inconsistency between the practice and documentation while theoretically being in compliance with baseline requirements. No security risk was introduced. Planned corrective action is to update our CP/CPS to clarify that RSA key sizes are permitted above 2048, and the profile document was meant to indicate a minimum as per our practices and enforcement via linting.
    In the same report, the researcher also pointed out a formatting inconsistency in the Code Signing OV profile, where the key length is written as "RSA 20484096". This issue has been acknowledged and will be addressed in the upcoming CP/CPS update.

  • Relevant policies:

  1. CA/Browser Forum Baseline Requirements for TLS Server Certificates. Section 6.1.5 Key sizes
  2. eMudhra CP/CPS v1.14 (effective at the time of issuance) Section 11. Appendix B: Certificate Profiles
  3. eMudhra CP/CPS v1.19 (current) Section 11. Appendix B: Certificate Profiles
  4. Internal CA issuance practice (minimum RSA key size: 2048 bits)
  • Source of incident disclosure:
    External researcher reported the concern via email to problem-reporting@emsign.com on June 19, 2025. We acknowledged and responded to the report within 24 hours, indicating that the CP/CPS would be updated to clarify acceptable RSA key lengths.
Assignee: nobody → naveen.ml
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Whiteboard: [ca-compliance] [uncategorized]
You need to log in before you can comment on or make changes to this bug.