Closed
Bug 562763
Opened 14 years ago
Closed 11 years ago
Add SafeScrypt root certificate
Categories
(CA Program :: CA Certificate Root Program, task)
CA Program
CA Certificate Root Program
Tracking
(Not tracked)
RESOLVED
WONTFIX
People
(Reporter: kathleen.a.wilson, Assigned: kathleen.a.wilson)
References
Details
(Whiteboard: In public discussion)
Attachments
(12 files)
38.79 KB,
application/pdf
|
Details | |
33.00 KB,
application/msword
|
Details | |
157.83 KB,
application/pdf
|
Details | |
11.56 KB,
application/x-zip-compressed
|
Details | |
20.10 KB,
application/pdf
|
Details | |
1.15 KB,
application/x-x509-ca-cert
|
Details | |
1.04 KB,
application/x-x509-ca-cert
|
Details | |
1.20 KB,
application/x-x509-ca-cert
|
Details | |
1.07 KB,
application/x-x509-ca-cert
|
Details | |
140.49 KB,
application/pdf
|
Details | |
715.51 KB,
application/pdf
|
Details | |
140.68 KB,
application/pdf
|
Details |
SafeScrypt (http://www.safescrypt.com/) http://cca.gov.in/rw/pages/licensed_ca_safescrypt.en.do Organization Type: Private Customer Base: Government, Private, Semi-Government CPS: http://www.safescrypt.com/pdf/cps.pdf Details: https://bugzilla.mozilla.org/attachment.cgi?id=436984 This is a sub-CA of the India CCA root certificate. CCA submitted a request for inclusion of the root certificate in bug #557167. Upon reviewing the request I found that the hierarchy is very large: https://bugzilla.mozilla.org/show_bug.cgi?id=557167#c15 The approach that we are going to take with this CA hierarchy is as follows. 1) There will be a separate bug for each of the 7 intermediate CAs to be separately evaluated for inclusion as a trust anchor in NSS. 2) After all 7 of the intermediate CAs have been approved/included, then I will proceed with the process of evaluating the CCA root certificate for inclusion in NSS. 3) If the CCA root certificate is approved for inclusion in NSS, then the 7 intermediate CAs will be removed from NSS at the same time that the CCA root is included.
Assignee | ||
Comment 1•14 years ago
|
||
Proceeding with the Information Gathering and Verification phase: https://wiki.mozilla.org/CA:How_to_apply#Information_gathering_and_verification
Status: NEW → ASSIGNED
Whiteboard: Information incomplete
Assignee | ||
Comment 2•14 years ago
|
||
The attached document summarizes the information that has been gathered and verified. The items highlighted in yellow indicate where further information or clarification is needed. Please review the full document for accuracy and completeness.
Comment 3•14 years ago
|
||
Assignee | ||
Comment 4•14 years ago
|
||
Thank you for the information. I have attached an updated Information Gathering Document. Please note the items that are highlighted in yellow to indicate where further information or clarification is needed.
Comment 5•14 years ago
|
||
Hi Team, I have attached two test certs each one from "Safescrypt India RCAI Class2 CA-G2" and "Safescrypt India RCAI Class3 CA-G2" hierarchies. Regards, Jagadeesh.K.S
Comment 6•14 years ago
|
||
Hi Team, I have attached Audit Equivalency Certificate. The audit was conducted for the period 1st Feb 2009 - 15th March 2010. Regards, Jagadeesh.K.S
Comment 7•14 years ago
|
||
Hi Team, Pls find the auditor document link for the audit Mar 2010. http://www.qadit.com/sify_safescrypt_certificate_2010.pdf Regards, Jagadeesh.K.S
Assignee | ||
Comment 8•14 years ago
|
||
Assignee | ||
Comment 9•14 years ago
|
||
Assignee | ||
Comment 10•14 years ago
|
||
Assignee | ||
Comment 11•14 years ago
|
||
Assignee | ||
Comment 12•14 years ago
|
||
Thank you for the additional information. Please also provide the following. 1) Please point me to the public-facing and audited documentation which summarizes the steps that are taken to verify that the certificate subscriber owns/controls the email address to be included in the certificate. https://wiki.mozilla.org/CA:Recommended_Practices#Verifying_Email_Address_Control 2) Please review the Potentiality Problematic Practices (http://wiki.mozilla.org/CA:Problematic_Practices) and identify the ones that apply to these roots. For the items that apply please provide further information.
Comment 13•14 years ago
|
||
Hi Team, Please find the response for the points 1 & 2. 1. We have some public facing document validation guide for our digital certificate to our end user. Here it is documented that the client will receive the Pin number and instructions to pick up the certificate. http://mcacert.safescrypt.com/pdf/Enrolment_Guide.pdf http://www.safescrypt.com/solutions_and_services/digital_certificate_services/individual_certificates/rcai_class_3_certificates_with_org_name_enroll_guide.html Please find the mail flow for digital certificate issuance. ** Certificate applicant chooses to enroll for a particular certificate ** Completes the enrolment page with all mandatory details along with the Valid Email address of the applicant ** Once the enrollment is successful the client will receive a confirmation mail on successful enrollment ** Validation team will validate and issue/reject the enrollment. This information will be sent to the Applicant email id ** Once the request is approved client will get a mail with a Pin Number and the instructions on how to pickup the digital certificate 2. Problematic Practices ** SSL and EV certificates -> It is not applicable as we are not issuing from CCA root ** Issuing end entity certificates directly from roots -> We are not issuing any end user certificates directly from root certificate. Our end user certificates are signed by respective intermediate CAs. ** Distributing generated private keys in PKCS#12 files -> We are not generating any private key on behalf of customer. The key pair is generated at customer system. ** OCSP Responses signed by a certificate under a different root -> We are not issuing digital certificate with OCSP url ** CRL with critical IDP Extension -> we are issuing full CURL and it is downloadable ** Generic names for CAs -> We use brand name for CAs. ** Lack of Communication With End Users -> We are accessible through mail/phone and support/validation team is available. ** Root Count Restrictions -> We have only 1 root from CCA ** Restrict government roots to their Tads -> we have only one Govt root cert from CCA ** Minimum Key Sizes -> The root key size is 2048, intermediate key size is 2048 and end user key size is 1024. we will be upgrading end user key size from 1024 to 2048 in Jan 2011 ** Max Time Between Audits-> External auditors will do annual Audit once in a year and half-yearly audit is internal ** Actual Paperwork -> we are communicating through post or E-Mail as and when required. ** Improve definition of "independent"; add idea of "trustworthy" -> For Annual audit, auditors are selected from the panel listed by CCA ** Validate all Data included in Certificates -> Validation team will validate the requested certificate contents based on the validation plan for each respective products.
Assignee | ||
Comment 14•14 years ago
|
||
Assignee | ||
Comment 15•14 years ago
|
||
This request has been added to the queue for public discussion: https://wiki.mozilla.org/CA:Schedule#Queue_for_Public_Discussion Now that you have a request in the Queue for Public Discussion, you are directly impacted by the time it takes to work through the queue. The goal is to have each discussion take about one week. However, that time varies dramatically depending on the number of reviewers contributing to the discussion, and the types of concerns that are raised. If no one reviews and contributes to a discussion, then a request may sit in the discussion for weeks. When there are not enough people contributing to the discussions ahead of yours, then your request will sit in the queue longer. How can you help reduce the time that your request sits in the queue? You can help by reviewing and providing your feedback in the public discussions of root inclusion requests, or by asking a knowledgeable colleague to do so. Please see: https://wiki.mozilla.org/CA:How_to_apply#Public_discussion
Whiteboard: Information incomplete → Information confirmed complete
Assignee | ||
Comment 16•13 years ago
|
||
This request is near the top of the queue for public discussion: https://wiki.mozilla.org/CA:Schedule#Queue_for_Public_Discussion As such, I am re-reviewing the information for this request. Here are my questions. 1) Is the information on the pending page correct regarding this request? http://www.mozilla.org/projects/security/certs/pending/#SafeScrypt 2) Is there a more recent audit statement? 3) Can the validation of ownership/control of email address to be included in the certificate be delegated to any organizations outside of SafeScrypt?
Comment 17•13 years ago
|
||
Comment 18•13 years ago
|
||
1. Need more information for point no 1. 2. Latest audit statement has been attached. 3. Validation of email address has not been delegated to any organizations outside of safescrypt
Assignee | ||
Comment 19•13 years ago
|
||
If all of the information in the attached document is accurate and current, then this request is ready for public discussion. https://wiki.mozilla.org/CA:Schedule#Queue_for_Public_Discussion I'll post a comment in this bug when I start the discussion in the mozilla.dev.security.policy forum.
Assignee | ||
Comment 20•13 years ago
|
||
I am now opening the first public discussion period for this request from SafeScrypt to add the “Safescrypt India-RCAI Class 2 CA-G2” and “Safescrypt India-RCAI Class 3 CA-G2” root certificates and enable the email trust bit for both roots. For a description of the public discussion phase, see https://wiki.mozilla.org/CA:How_to_apply#Public_discussion Public discussion will be in the mozilla.dev.security.policy newsgroup and the corresponding dev-security-policy@lists.mozilla.org mailing list. http://www.mozilla.org/community/developer-forums.html https://lists.mozilla.org/listinfo/dev-security-policy news://news.mozilla.org/mozilla.dev.security.policy The discussion thread is called “SafeScrypt Root Inclusion Request” Please actively review, respond, and contribute to the discussion. A representative of SafeScrypt must promptly respond directly in the discussion thread to all questions that are posted.
Whiteboard: Information confirmed complete → In public discussion
Assignee | ||
Comment 21•13 years ago
|
||
(In reply to Kathleen Wilson from comment #20) > I am now opening the first public discussion period for this request from > SafeScrypt to add the “Safescrypt India-RCAI Class 2 CA-G2” and “Safescrypt > India-RCAI Class 3 CA-G2” root certificates and enable the email trust bit > for both roots. > > For a description of the public discussion phase, see > https://wiki.mozilla.org/CA:How_to_apply#Public_discussion > > Public discussion will be in the mozilla.dev.security.policy newsgroup and > the corresponding dev-security-policy@lists.mozilla.org mailing list. > > http://www.mozilla.org/community/developer-forums.html > https://lists.mozilla.org/listinfo/dev-security-policy > news://news.mozilla.org/mozilla.dev.security.policy > > The discussion thread is called “SafeScrypt Root Inclusion Request” > > Please actively review, respond, and contribute to the discussion. > > A representative of SafeScrypt must promptly respond directly in the > discussion thread to all questions that are posted. Messages stopped showing up in Google Groups on August 1, so please use a different news reader, such as Thunderbird. There is a posting from Kyle Hamilton on August 1 that someone from SafeScrypt should respond to. Please post all responses directly into the discussion.
Assignee | ||
Comment 22•13 years ago
|
||
The Google Groups problem has been resolved. There is a posting from Kyle Hamilton on August 1 that someone from SafeScrypt should respond to. Please post all responses directly into the discussion. Someone representing SafeScrypt must reply in the discussion as soon as possible, so we may move forward with the discussion.
Assignee | ||
Comment 23•13 years ago
|
||
Please review the CA Communication that was recently sent, and is available here: https://wiki.mozilla.org/CA:Communications Please add a comment to this bug to provide your response to the action items listed in the CA Communication. For more information about action items #1 and #3, please see items #6 and #7 of https://wiki.mozilla.org/CA:Information_checklist#Verification_Policies_and_Practices
Assignee | ||
Comment 24•11 years ago
|
||
Closing, because no response from CA since 2011.
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → WONTFIX
Updated•7 years ago
|
Product: mozilla.org → NSS
Updated•2 years ago
|
Product: NSS → CA Program
You need to log in
before you can comment on or make changes to this bug.
Description
•