Add CCA India root certificate

RESOLVED WONTFIX

Status

NSS
CA Certificate Root Program
--
enhancement
RESOLVED WONTFIX
8 years ago
4 months ago

People

(Reporter: Ramachandran, Assigned: Kathleen Wilson)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: On Hold pending review of all sub-CAs)

Attachments

(14 attachments)

(Reporter)

Description

8 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6
Build Identifier: 

Looking forward to submit details for the inclusion of Root CA certificate in Mozilla

Reproducible: Didn't try
(Reporter)

Comment 1

8 years ago
Created attachment 436976 [details]
CA Information Check List
(Reporter)

Comment 2

8 years ago
Created attachment 436977 [details]
subordinate CA checklist.doc
(Reporter)

Comment 3

8 years ago
Created attachment 436978 [details]
Framework -Diagram
(Reporter)

Comment 4

8 years ago
Created attachment 436979 [details]
Intermediate CA -emudhra-details
(Reporter)

Comment 5

8 years ago
Created attachment 436980 [details]
Intermediate CA -IDRBT-details
(Reporter)

Comment 6

8 years ago
Created attachment 436981 [details]
Intermediate CA -MTNL-details
(Reporter)

Comment 7

8 years ago
Created attachment 436982 [details]
Intermediate CA -nCode-details
(Reporter)

Comment 8

8 years ago
Created attachment 436983 [details]
Intermediate CA -NICCA-details
(Reporter)

Comment 9

8 years ago
Created attachment 436984 [details]
Intermediate CA -Safescrypt-details
(Reporter)

Comment 10

8 years ago
Created attachment 436985 [details]
Intermediate CA -TCS CA-details
(Reporter)

Comment 11

8 years ago
There are seven intermediate CAs in under the Root CA of India. Though intermediate CAs have subordinate CA under that,  they all physically located in the same physical infrastructure of intermediate CAs. The subordinated CA are allowed mainly for operational management. The intermediate CAs and its subordinate CAs  have single CPS. The Audit  is as per security guidelines mentioned in the Information Technology ACT. Strict measures are taken by Root CA to monitor the compliance of CPS, and recommendations specified in the Information Technology Act
(Reporter)

Comment 12

8 years ago
Created attachment 436993 [details]
CA Information check List-resubmited
(Assignee)

Comment 13

8 years ago
Accepting this bug, and starting the Information Gathering and Verification
phase:
https://wiki.mozilla.org/CA:How_to_apply#Information_gathering_and_verification
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Summary: Inclusion of CA Certificates → Add CCA India root certificate
Whiteboard: Information incomplete
(Assignee)

Updated

8 years ago
Duplicate of this bug: 556489
(Assignee)

Comment 15

8 years ago
Here is a summary of the CA hierarchy for each of the seven intermediate CAs:

eMudhra has signed 6 subordinate CAs according to issuance class and type of subscriber. Each of those sub-CAs sign another sub-CA (or two) that sign end-entity certs.

IDRBT - not sure what hierarchy is yet -- IDRBT offers certification services to members of the INFINET which include Reserve Bank of India, public sector banks, private banks, foreigh banks, cooperative banks, and financial institutions of India. IDRBT also offers certification services to individual recommended by the Registration Authority.

MTNL has two levels of subCAs. There are six level 1 SubCAs, and nine level 2 SubCAs. The subCAs are based on authentication level and type of subscriber.

nCode -- not sure what hierarchy is yet

NIC CA issues three classes of Digital Signatures to subscribers, based on the level of verification that is performed in regards to the identity of the certificate subscriber. The NIC CA directly signs Class 1, Class 2 and Class3 end-entity certificates which can be used for SSL, email, and document signing. The NIC CA also signs the E-passport Sub-CA which signs Class 1, Class 2 and Class3 end-entity certificates which can be used for SSL, email, and document signing. 

SafeScrypt has two Intermediate CAs signed by the CCA root. One of them is for Class 2, and has signed 10 subCAs which sign end-entity certs. The other is for Class 3 and has signed one subCA which signs end-entity certs.

TCA has signed 9 subordinate CAs
(Assignee)

Comment 16

8 years ago
Given the size of the hierarchy under this root (Comment #15), I plan to proceed with this request as follows:

1) Create a separate bug for each of the 7 intermediate CAs to be separately evaluated for inclusion as a trust anchor in NSS. I'll make this bug dependent on those 7 bugs. (note bug #511380 already exists for NIC)

2) After all 7 of the intermediate CAs have been approved/included, then proceed with evaluating the CCA root certificate for inclusion in NSS.

3) If the CCA root certificate is approved for inclusion in NSS, then the 7 intermediate CAs will be removed from NSS at the same time that the CCA root is included.

Does this make sense?
(Reporter)

Comment 17

8 years ago
yes, Please go ahead.
In case if you require more information please let us know
(Assignee)

Comment 18

7 years ago
Since there is already a bug for the NIC intermediate CA (bug #511380), I'll use the existing bug and the work that has already been done for that sub-CA.

I will create new bugs for the other 6 intermediate CAs, and make this bug dependent on them.

Ramachandran, I will add you in the CC list for each of the bugs so that you will get notification as I work through them and request further information.
Depends on: 511380
(Assignee)

Updated

7 years ago
Depends on: 562763
(Assignee)

Updated

7 years ago
Depends on: 562764
(Assignee)

Updated

7 years ago
Depends on: 562766
(Assignee)

Updated

7 years ago
Depends on: 562769
(Assignee)

Updated

7 years ago
Depends on: 562772
(Assignee)

Updated

7 years ago
Depends on: 562774
(Assignee)

Comment 19

7 years ago
The bugs for each of the sub-CAs are as follows.

Bug 511380 – NIC
Bug 562763 – SafeScrypt
Bug 562764 – IDRBT
Bug 562766 – TCS
Bug 562769 – MTNL
Bug 562772 – nCode
Bug 562774 – eMudhra

Ramachandran, I have added you to the CC list for each of these bugs, so that you will get notification whenever each bug is updated.

For each of these bugs, please add the appropriate representatives to the CC list who are expected to respond to my requests for further information or clarification.

Note that bug 511380 for NIC is waiting for NIC to respond with the information that I have requested.
Whiteboard: Information incomplete → On Hold pending review of all sub-CAs
(Reporter)

Comment 20

7 years ago
Created attachment 513858 [details]
India PKI Cetificate Policy applicable to Root CA , CA and subscribers
(Reporter)

Comment 21

7 years ago
Created attachment 513859 [details]
Compliance with Mozilla ver 2.0
(Reporter)

Comment 22

4 years ago
Created attachment 737873 [details]
SSL Guidelines for India PKI

Verification requirements for issuance of SSL certificates by CA Licenced by  Root CA  Of India(RCAI)  is released.
(Assignee)

Comment 23

4 years ago
I see that these SSL Guidelines are also posted on the cca.gov.in website.

When are the licensed CAs expected to be in compliance with these new guidelines? 
How is it verified that the licensed CAs are in compliance with these guidelines?

What are CCA's plans in regards to the CA/Browser Forum's Baseline Requirements?
https://www.cabforum.org/documents.html

Comment 24

3 years ago
According to Google, India CCA has issued unauthorized certificates. The full scope of events is not yet clear.
http://googleonlinesecurity.blogspot.de/2014/07/maintaining-digital-certificate-security.html
I think this bug should be closed as wontfix.
(Assignee)

Comment 25

3 years ago
http://googleonlinesecurity.blogspot.com/2014/07/maintaining-digital-certificate-security.html
"The intermediate CA certificates held by NIC were revoked on July 3, as noted above. But a root CA is responsible for all certificates issued under its authority. In light of this, in a future Chrome release, we will limit the India CCA root certificate to the following domains and subdomains thereof in order to protect users:
    gov.in
    nic.in
    ac.in
    rbi.org.in
    bankofindia.co.in
    ncode.in
    tcs.co.in"

Comment 26

3 years ago
To India CCA: Are these name constraints acceptable for inclusion in Firefox too?
(Assignee)

Comment 27

3 years ago
(In reply to Yuhong Bao from comment #26)
> To India CCA: Are these name constraints acceptable for inclusion in Firefox
> too?

This is a super-CA, so their subordinate CAs need to apply for inclusion separately.
https://wiki.mozilla.org/CA:SubordinateCA_checklist#Super-CAs

Each subordinate CA who applies for inclusion (https://wiki.mozilla.org/CA:How_to_apply) will need to be name constrained as per Comment #25.

NIC had applied for inclusion in Bug #511380, but that bug has been closed as WONTFIX due to the incident.

Comment 28

3 years ago
I think the inclusion process will be faster with the name constraints, right?
(Assignee)

Comment 29

3 years ago
(In reply to Yuhong Bao from comment #28)
> I think the inclusion process will be faster with the name constraints,
> right?

It's still the same process.
(Assignee)

Comment 30

3 years ago
As per information provided by CCA India, there is a new CA hierarchy and inclusion of certificates in the old CA hierarchy is no longer requested
(Assignee)

Updated

3 years ago
Status: ASSIGNED → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → WONTFIX

Updated

4 months ago
Product: mozilla.org → NSS
You need to log in before you can comment on or make changes to this bug.