Closed Bug 557167 Opened 14 years ago Closed 9 years ago

Add CCA India root certificate

Categories

(CA Program :: CA Certificate Root Program, task)

Product:
CA Program
Component:
CA Certificate Root Program
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: ram, Assigned: kathleen.a.wilson)

References

Details

(Whiteboard: On Hold pending review of all sub-CAs)

Attachments

(14 files)

CA Information Check List
102.00 KB, text/html
Details
subordinate CA checklist.doc
43.00 KB, application/msword
Details
Framework -Diagram
64.17 KB, image/png
Details
Intermediate CA -emudhra-details
102.50 KB, application/msword
Details
Intermediate CA -IDRBT-details
80.00 KB, application/msword
Details
Intermediate CA -MTNL-details
102.50 KB, application/msword
Details
Intermediate CA -nCode-details
78.00 KB, application/msword
Details
Intermediate CA -NICCA-details
86.00 KB, application/msword
Details
Intermediate CA -Safescrypt-details
44.50 KB, application/msword
Details
Intermediate CA -TCS CA-details
76.50 KB, application/msword
Details
CA Information check List-resubmited
102.00 KB, application/msword
Details
India PKI Cetificate Policy applicable to Root CA , CA and subscribers
385.11 KB, application/pdf
Details
Compliance with Mozilla ver 2.0
19.51 KB, application/vnd.openxmlformats-officedocument.wordprocessingml.document
Details
SSL Guidelines for India PKI
78.51 KB, application/pdf
Details 
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6
Build Identifier: 

Looking forward to submit details for the inclusion of Root CA certificate in Mozilla

Reproducible: Didn't try

    
    

    
  


  

    
    

    
  

      
      
      
      

        Attached image
          
        Framework -Diagram
      

    


  

    
    

    
  


  

    
    

    
  


  

    
    

    
  


  

    
    

    
  


  

    
    

    
  


  

    
    

    
  


  

    
    

    
  


  

    
    

    
  
There are seven intermediate CAs in under the Root CA of India. Though intermediate CAs have subordinate CA under that,  they all physically located in the same physical infrastructure of intermediate CAs. The subordinated CA are allowed mainly for operational management. The intermediate CAs and its subordinate CAs  have single CPS. The Audit  is as per security guidelines mentioned in the Information Technology ACT. Strict measures are taken by Root CA to monitor the compliance of CPS, and recommendations specified in the Information Technology Act

    
    

    
  


  

    
    

    
  
Accepting this bug, and starting the Information Gathering and Verification
phase:
https://wiki.mozilla.org/CA:How_to_apply#Information_gathering_and_verification
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Summary: Inclusion of  CA Certificates → Add CCA India root certificate
Whiteboard: Information incomplete

    
    

    
  
Here is a summary of the CA hierarchy for each of the seven intermediate CAs:

eMudhra has signed 6 subordinate CAs according to issuance class and type of subscriber. Each of those sub-CAs sign another sub-CA (or two) that sign end-entity certs.

IDRBT - not sure what hierarchy is yet -- IDRBT offers certification services to members of the INFINET which include Reserve Bank of India, public sector banks, private banks, foreigh banks, cooperative banks, and financial institutions of India. IDRBT also offers certification services to individual recommended by the Registration Authority.

MTNL has two levels of subCAs. There are six level 1 SubCAs, and nine level 2 SubCAs. The subCAs are based on authentication level and type of subscriber.

nCode -- not sure what hierarchy is yet

NIC CA issues three classes of Digital Signatures to subscribers, based on the level of verification that is performed in regards to the identity of the certificate subscriber. The NIC CA directly signs Class 1, Class 2 and Class3 end-entity certificates which can be used for SSL, email, and document signing. The NIC CA also signs the E-passport Sub-CA which signs Class 1, Class 2 and Class3 end-entity certificates which can be used for SSL, email, and document signing. 

SafeScrypt has two Intermediate CAs signed by the CCA root. One of them is for Class 2, and has signed 10 subCAs which sign end-entity certs. The other is for Class 3 and has signed one subCA which signs end-entity certs.

TCA has signed 9 subordinate CAs

    
    

    
  
Given the size of the hierarchy under this root (Comment #15), I plan to proceed with this request as follows:

1) Create a separate bug for each of the 7 intermediate CAs to be separately evaluated for inclusion as a trust anchor in NSS. I'll make this bug dependent on those 7 bugs. (note bug #511380 already exists for NIC)

2) After all 7 of the intermediate CAs have been approved/included, then proceed with evaluating the CCA root certificate for inclusion in NSS.

3) If the CCA root certificate is approved for inclusion in NSS, then the 7 intermediate CAs will be removed from NSS at the same time that the CCA root is included.

Does this make sense?

    
    

    
  
yes, Please go ahead.
In case if you require more information please let us know

    
    

    
  
Since there is already a bug for the NIC intermediate CA (bug #511380), I'll use the existing bug and the work that has already been done for that sub-CA.

I will create new bugs for the other 6 intermediate CAs, and make this bug dependent on them.

Ramachandran, I will add you in the CC list for each of the bugs so that you will get notification as I work through them and request further information.
Depends on: 511380

    
  
Depends on: 562763

    
  
Depends on: 562764

    
  
Depends on: 562766

    
  
Depends on: 562769

    
  
Depends on: 562772

    
  
Depends on: 562774

    
    

    
  
The bugs for each of the sub-CAs are as follows.

Bug 511380 – NIC
Bug 562763 – SafeScrypt
Bug 562764 – IDRBT
Bug 562766 – TCS
Bug 562769 – MTNL
Bug 562772 – nCode
Bug 562774 – eMudhra

Ramachandran, I have added you to the CC list for each of these bugs, so that you will get notification whenever each bug is updated.

For each of these bugs, please add the appropriate representatives to the CC list who are expected to respond to my requests for further information or clarification.

Note that bug 511380 for NIC is waiting for NIC to respond with the information that I have requested.
Whiteboard: Information incomplete → On Hold pending review of all sub-CAs

    
    

    
  


  

    
    

    
  


  
Verification requirements for issuance of SSL certificates by CA Licenced by  Root CA  Of India(RCAI)  is released.

    
    

    
  
I see that these SSL Guidelines are also posted on the cca.gov.in website.

When are the licensed CAs expected to be in compliance with these new guidelines? 
How is it verified that the licensed CAs are in compliance with these guidelines?

What are CCA's plans in regards to the CA/Browser Forum's Baseline Requirements?
https://www.cabforum.org/documents.html

    
    

    
  
According to Google, India CCA has issued unauthorized certificates. The full scope of events is not yet clear.
http://googleonlinesecurity.blogspot.de/2014/07/maintaining-digital-certificate-security.html
I think this bug should be closed as wontfix.

    
    

    
  
http://googleonlinesecurity.blogspot.com/2014/07/maintaining-digital-certificate-security.html
"The intermediate CA certificates held by NIC were revoked on July 3, as noted above. But a root CA is responsible for all certificates issued under its authority. In light of this, in a future Chrome release, we will limit the India CCA root certificate to the following domains and subdomains thereof in order to protect users:
    gov.in
    nic.in
    ac.in
    rbi.org.in
    bankofindia.co.in
    ncode.in
    tcs.co.in"

    
    

    
  
To India CCA: Are these name constraints acceptable for inclusion in Firefox too?

    
    

    
  
(In reply to Yuhong Bao from comment #26)
> To India CCA: Are these name constraints acceptable for inclusion in Firefox
> too?

This is a super-CA, so their subordinate CAs need to apply for inclusion separately.
https://wiki.mozilla.org/CA:SubordinateCA_checklist#Super-CAs

Each subordinate CA who applies for inclusion (https://wiki.mozilla.org/CA:How_to_apply) will need to be name constrained as per Comment #25.

NIC had applied for inclusion in Bug #511380, but that bug has been closed as WONTFIX due to the incident.

    
    

    
  
I think the inclusion process will be faster with the name constraints, right?

    
    

    
  
(In reply to Yuhong Bao from comment #28)
> I think the inclusion process will be faster with the name constraints,
> right?

It's still the same process.

    
    

    
  
As per information provided by CCA India, there is a new CA hierarchy and inclusion of certificates in the old CA hierarchy is no longer requested

    
  
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → WONTFIX

    
  
Product: mozilla.org → NSS
Product: NSS → CA Program

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: