Closed
Bug 557167
Opened 15 years ago
Closed 10 years ago
Add CCA India root certificate
Categories
(CA Program :: CA Certificate Root Program, task)
CA Program
CA Certificate Root Program
Tracking
(Not tracked)
RESOLVED
WONTFIX
People
(Reporter: ram, Assigned: kathleen.a.wilson)
References
Details
(Whiteboard: On Hold pending review of all sub-CAs)
Attachments
(14 files)
102.00 KB,
text/html
|
Details | |
43.00 KB,
application/msword
|
Details | |
64.17 KB,
image/png
|
Details | |
102.50 KB,
application/msword
|
Details | |
80.00 KB,
application/msword
|
Details | |
102.50 KB,
application/msword
|
Details | |
78.00 KB,
application/msword
|
Details | |
86.00 KB,
application/msword
|
Details | |
44.50 KB,
application/msword
|
Details | |
76.50 KB,
application/msword
|
Details | |
102.00 KB,
application/msword
|
Details | |
385.11 KB,
application/pdf
|
Details | |
19.51 KB,
application/vnd.openxmlformats-officedocument.wordprocessingml.document
|
Details | |
78.51 KB,
application/pdf
|
Details |
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6
Build Identifier:
Looking forward to submit details for the inclusion of Root CA certificate in Mozilla
Reproducible: Didn't try
Reporter | ||
Comment 1•15 years ago
|
||
Reporter | ||
Comment 2•15 years ago
|
||
Reporter | ||
Comment 3•15 years ago
|
||
Reporter | ||
Comment 4•15 years ago
|
||
Reporter | ||
Comment 5•15 years ago
|
||
Reporter | ||
Comment 6•15 years ago
|
||
Reporter | ||
Comment 7•15 years ago
|
||
Reporter | ||
Comment 8•15 years ago
|
||
Reporter | ||
Comment 9•15 years ago
|
||
Reporter | ||
Comment 10•15 years ago
|
||
Reporter | ||
Comment 11•15 years ago
|
||
There are seven intermediate CAs in under the Root CA of India. Though intermediate CAs have subordinate CA under that, they all physically located in the same physical infrastructure of intermediate CAs. The subordinated CA are allowed mainly for operational management. The intermediate CAs and its subordinate CAs have single CPS. The Audit is as per security guidelines mentioned in the Information Technology ACT. Strict measures are taken by Root CA to monitor the compliance of CPS, and recommendations specified in the Information Technology Act
Reporter | ||
Comment 12•15 years ago
|
||
Assignee | ||
Comment 13•15 years ago
|
||
Accepting this bug, and starting the Information Gathering and Verification
phase:
https://wiki.mozilla.org/CA:How_to_apply#Information_gathering_and_verification
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Summary: Inclusion of CA Certificates → Add CCA India root certificate
Whiteboard: Information incomplete
Assignee | ||
Comment 15•15 years ago
|
||
Here is a summary of the CA hierarchy for each of the seven intermediate CAs:
eMudhra has signed 6 subordinate CAs according to issuance class and type of subscriber. Each of those sub-CAs sign another sub-CA (or two) that sign end-entity certs.
IDRBT - not sure what hierarchy is yet -- IDRBT offers certification services to members of the INFINET which include Reserve Bank of India, public sector banks, private banks, foreigh banks, cooperative banks, and financial institutions of India. IDRBT also offers certification services to individual recommended by the Registration Authority.
MTNL has two levels of subCAs. There are six level 1 SubCAs, and nine level 2 SubCAs. The subCAs are based on authentication level and type of subscriber.
nCode -- not sure what hierarchy is yet
NIC CA issues three classes of Digital Signatures to subscribers, based on the level of verification that is performed in regards to the identity of the certificate subscriber. The NIC CA directly signs Class 1, Class 2 and Class3 end-entity certificates which can be used for SSL, email, and document signing. The NIC CA also signs the E-passport Sub-CA which signs Class 1, Class 2 and Class3 end-entity certificates which can be used for SSL, email, and document signing.
SafeScrypt has two Intermediate CAs signed by the CCA root. One of them is for Class 2, and has signed 10 subCAs which sign end-entity certs. The other is for Class 3 and has signed one subCA which signs end-entity certs.
TCA has signed 9 subordinate CAs
Assignee | ||
Comment 16•15 years ago
|
||
Given the size of the hierarchy under this root (Comment #15), I plan to proceed with this request as follows:
1) Create a separate bug for each of the 7 intermediate CAs to be separately evaluated for inclusion as a trust anchor in NSS. I'll make this bug dependent on those 7 bugs. (note bug #511380 already exists for NIC)
2) After all 7 of the intermediate CAs have been approved/included, then proceed with evaluating the CCA root certificate for inclusion in NSS.
3) If the CCA root certificate is approved for inclusion in NSS, then the 7 intermediate CAs will be removed from NSS at the same time that the CCA root is included.
Does this make sense?
Reporter | ||
Comment 17•15 years ago
|
||
yes, Please go ahead.
In case if you require more information please let us know
Assignee | ||
Comment 18•15 years ago
|
||
Since there is already a bug for the NIC intermediate CA (bug #511380), I'll use the existing bug and the work that has already been done for that sub-CA.
I will create new bugs for the other 6 intermediate CAs, and make this bug dependent on them.
Ramachandran, I will add you in the CC list for each of the bugs so that you will get notification as I work through them and request further information.
Depends on: 511380
Assignee | ||
Comment 19•15 years ago
|
||
The bugs for each of the sub-CAs are as follows.
Bug 511380 – NIC
Bug 562763 – SafeScrypt
Bug 562764 – IDRBT
Bug 562766 – TCS
Bug 562769 – MTNL
Bug 562772 – nCode
Bug 562774 – eMudhra
Ramachandran, I have added you to the CC list for each of these bugs, so that you will get notification whenever each bug is updated.
For each of these bugs, please add the appropriate representatives to the CC list who are expected to respond to my requests for further information or clarification.
Note that bug 511380 for NIC is waiting for NIC to respond with the information that I have requested.
Whiteboard: Information incomplete → On Hold pending review of all sub-CAs
Reporter | ||
Comment 20•14 years ago
|
||
Reporter | ||
Comment 21•14 years ago
|
||
Reporter | ||
Comment 22•12 years ago
|
||
Verification requirements for issuance of SSL certificates by CA Licenced by Root CA Of India(RCAI) is released.
Assignee | ||
Comment 23•12 years ago
|
||
I see that these SSL Guidelines are also posted on the cca.gov.in website.
When are the licensed CAs expected to be in compliance with these new guidelines?
How is it verified that the licensed CAs are in compliance with these guidelines?
What are CCA's plans in regards to the CA/Browser Forum's Baseline Requirements?
https://www.cabforum.org/documents.html
Comment 24•11 years ago
|
||
According to Google, India CCA has issued unauthorized certificates. The full scope of events is not yet clear.
http://googleonlinesecurity.blogspot.de/2014/07/maintaining-digital-certificate-security.html
I think this bug should be closed as wontfix.
Assignee | ||
Comment 25•11 years ago
|
||
http://googleonlinesecurity.blogspot.com/2014/07/maintaining-digital-certificate-security.html
"The intermediate CA certificates held by NIC were revoked on July 3, as noted above. But a root CA is responsible for all certificates issued under its authority. In light of this, in a future Chrome release, we will limit the India CCA root certificate to the following domains and subdomains thereof in order to protect users:
gov.in
nic.in
ac.in
rbi.org.in
bankofindia.co.in
ncode.in
tcs.co.in"
Comment 26•10 years ago
|
||
To India CCA: Are these name constraints acceptable for inclusion in Firefox too?
Assignee | ||
Comment 27•10 years ago
|
||
(In reply to Yuhong Bao from comment #26)
> To India CCA: Are these name constraints acceptable for inclusion in Firefox
> too?
This is a super-CA, so their subordinate CAs need to apply for inclusion separately.
https://wiki.mozilla.org/CA:SubordinateCA_checklist#Super-CAs
Each subordinate CA who applies for inclusion (https://wiki.mozilla.org/CA:How_to_apply) will need to be name constrained as per Comment #25.
NIC had applied for inclusion in Bug #511380, but that bug has been closed as WONTFIX due to the incident.
Comment 28•10 years ago
|
||
I think the inclusion process will be faster with the name constraints, right?
Assignee | ||
Comment 29•10 years ago
|
||
(In reply to Yuhong Bao from comment #28)
> I think the inclusion process will be faster with the name constraints,
> right?
It's still the same process.
Assignee | ||
Comment 30•10 years ago
|
||
As per information provided by CCA India, there is a new CA hierarchy and inclusion of certificates in the old CA hierarchy is no longer requested
Assignee | ||
Updated•10 years ago
|
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Resolution: --- → WONTFIX
Updated•8 years ago
|
Product: mozilla.org → NSS
Updated•2 years ago
|
Product: NSS → CA Program
You need to log in
before you can comment on or make changes to this bug.
Description
•