Closed Bug 557167 Opened 15 years ago Closed 10 years ago

Add CCA India root certificate


(CA Program :: CA Certificate Root Program, task)

Not set


(Not tracked)



(Reporter: ram, Assigned: kathleen.a.wilson)



(Whiteboard: On Hold pending review of all sub-CAs)


(14 files)

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6
Build Identifier: 

Looking forward to submit details for the inclusion of Root CA certificate in Mozilla

Reproducible: Didn't try
Attached image Framework -Diagram
There are seven intermediate CAs in under the Root CA of India. Though intermediate CAs have subordinate CA under that,  they all physically located in the same physical infrastructure of intermediate CAs. The subordinated CA are allowed mainly for operational management. The intermediate CAs and its subordinate CAs  have single CPS. The Audit  is as per security guidelines mentioned in the Information Technology ACT. Strict measures are taken by Root CA to monitor the compliance of CPS, and recommendations specified in the Information Technology Act
Accepting this bug, and starting the Information Gathering and Verification
Ever confirmed: true
Summary: Inclusion of CA Certificates → Add CCA India root certificate
Whiteboard: Information incomplete
Here is a summary of the CA hierarchy for each of the seven intermediate CAs:

eMudhra has signed 6 subordinate CAs according to issuance class and type of subscriber. Each of those sub-CAs sign another sub-CA (or two) that sign end-entity certs.

IDRBT - not sure what hierarchy is yet -- IDRBT offers certification services to members of the INFINET which include Reserve Bank of India, public sector banks, private banks, foreigh banks, cooperative banks, and financial institutions of India. IDRBT also offers certification services to individual recommended by the Registration Authority.

MTNL has two levels of subCAs. There are six level 1 SubCAs, and nine level 2 SubCAs. The subCAs are based on authentication level and type of subscriber.

nCode -- not sure what hierarchy is yet

NIC CA issues three classes of Digital Signatures to subscribers, based on the level of verification that is performed in regards to the identity of the certificate subscriber. The NIC CA directly signs Class 1, Class 2 and Class3 end-entity certificates which can be used for SSL, email, and document signing. The NIC CA also signs the E-passport Sub-CA which signs Class 1, Class 2 and Class3 end-entity certificates which can be used for SSL, email, and document signing. 

SafeScrypt has two Intermediate CAs signed by the CCA root. One of them is for Class 2, and has signed 10 subCAs which sign end-entity certs. The other is for Class 3 and has signed one subCA which signs end-entity certs.

TCA has signed 9 subordinate CAs
Given the size of the hierarchy under this root (Comment #15), I plan to proceed with this request as follows:

1) Create a separate bug for each of the 7 intermediate CAs to be separately evaluated for inclusion as a trust anchor in NSS. I'll make this bug dependent on those 7 bugs. (note bug #511380 already exists for NIC)

2) After all 7 of the intermediate CAs have been approved/included, then proceed with evaluating the CCA root certificate for inclusion in NSS.

3) If the CCA root certificate is approved for inclusion in NSS, then the 7 intermediate CAs will be removed from NSS at the same time that the CCA root is included.

Does this make sense?
yes, Please go ahead.
In case if you require more information please let us know
Since there is already a bug for the NIC intermediate CA (bug #511380), I'll use the existing bug and the work that has already been done for that sub-CA.

I will create new bugs for the other 6 intermediate CAs, and make this bug dependent on them.

Ramachandran, I will add you in the CC list for each of the bugs so that you will get notification as I work through them and request further information.
Depends on: 511380
Depends on: 562763
Depends on: 562764
Depends on: 562766
Depends on: 562769
Depends on: 562772
Depends on: 562774
The bugs for each of the sub-CAs are as follows.

Bug 511380 – NIC
Bug 562763 – SafeScrypt
Bug 562764 – IDRBT
Bug 562766 – TCS
Bug 562769 – MTNL
Bug 562772 – nCode
Bug 562774 – eMudhra

Ramachandran, I have added you to the CC list for each of these bugs, so that you will get notification whenever each bug is updated.

For each of these bugs, please add the appropriate representatives to the CC list who are expected to respond to my requests for further information or clarification.

Note that bug 511380 for NIC is waiting for NIC to respond with the information that I have requested.
Whiteboard: Information incomplete → On Hold pending review of all sub-CAs
Verification requirements for issuance of SSL certificates by CA Licenced by  Root CA  Of India(RCAI)  is released.
I see that these SSL Guidelines are also posted on the website.

When are the licensed CAs expected to be in compliance with these new guidelines? 
How is it verified that the licensed CAs are in compliance with these guidelines?

What are CCA's plans in regards to the CA/Browser Forum's Baseline Requirements?
According to Google, India CCA has issued unauthorized certificates. The full scope of events is not yet clear.
I think this bug should be closed as wontfix.
"The intermediate CA certificates held by NIC were revoked on July 3, as noted above. But a root CA is responsible for all certificates issued under its authority. In light of this, in a future Chrome release, we will limit the India CCA root certificate to the following domains and subdomains thereof in order to protect users:"
To India CCA: Are these name constraints acceptable for inclusion in Firefox too?
(In reply to Yuhong Bao from comment #26)
> To India CCA: Are these name constraints acceptable for inclusion in Firefox
> too?

This is a super-CA, so their subordinate CAs need to apply for inclusion separately.

Each subordinate CA who applies for inclusion ( will need to be name constrained as per Comment #25.

NIC had applied for inclusion in Bug #511380, but that bug has been closed as WONTFIX due to the incident.
I think the inclusion process will be faster with the name constraints, right?
(In reply to Yuhong Bao from comment #28)
> I think the inclusion process will be faster with the name constraints,
> right?

It's still the same process.
As per information provided by CCA India, there is a new CA hierarchy and inclusion of certificates in the old CA hierarchy is no longer requested
Closed: 10 years ago
Resolution: --- → WONTFIX
Product: → NSS
Product: NSS → CA Program
You need to log in before you can comment on or make changes to this bug.