562763 - Add SafeScrypt root certificate

Status: RESOLVED WONTFIX

(CA Program :: CA Certificate Root Program, task)

Description

[Kathleen Wilson]

SafeScrypt (http://www.safescrypt.com/)
http://cca.gov.in/rw/pages/licensed_ca_safescrypt.en.do
Organization Type: Private 
Customer Base: Government, Private, Semi-Government
CPS: http://www.safescrypt.com/pdf/cps.pdf
Details: https://bugzilla.mozilla.org/attachment.cgi?id=436984

This is a sub-CA of the India CCA root certificate. CCA submitted a request for inclusion of the root certificate in bug #557167. Upon reviewing the request I found that the hierarchy is very large:
https://bugzilla.mozilla.org/show_bug.cgi?id=557167#c15

The approach that we are going to take with this CA hierarchy is as follows.

1) There will be a separate bug for each of the 7 intermediate CAs to be
separately evaluated for inclusion as a trust anchor in NSS. 

2) After all 7 of the intermediate CAs have been approved/included, then
I will proceed with the process of evaluating the CCA root certificate for
inclusion in NSS.

3) If the CCA root certificate is approved for inclusion in NSS, then the 7
intermediate CAs will be removed from NSS at the same time that the CCA root is
included.

Comment 1

[Kathleen Wilson]

Proceeding with the Information Gathering and Verification phase:
https://wiki.mozilla.org/CA:How_to_apply#Information_gathering_and_verification

Comment 2

[Kathleen Wilson]

Attachment: Initial Information Gathering Document

The attached document summarizes the information that has been gathered and
verified.

The items highlighted in yellow indicate where further information or
clarification is needed. Please review the full document for accuracy and
completeness.

Comment 3

[Jagadeesh K S]

Attachment: Response_Initial_Information_Gathering

Comment 4

[Kathleen Wilson]

Attachment: Updated Information Gathering Document

Thank you for the information. I have attached an updated Information Gathering Document. Please note the items that are highlighted in yellow to indicate where further information or clarification is needed.

Comment 5

[Jagadeesh K S]

Attachment: Safescrypt Test Certificates

Hi Team,

   I have attached two test certs each one from "Safescrypt India RCAI Class2 CA-G2" and "Safescrypt India RCAI Class3 CA-G2" hierarchies.

Regards,
Jagadeesh.K.S

Comment 6

[Jagadeesh K S]

Attachment: Audit Equivalency Certificate

Hi Team,

  I have attached Audit Equivalency Certificate. The audit was conducted for the period 1st Feb 2009 - 15th March 2010.

Regards,
Jagadeesh.K.S

Comment 7

[Jagadeesh K S]

Hi Team,

  Pls find the auditor document link for the audit Mar 2010.

http://www.qadit.com/sify_safescrypt_certificate_2010.pdf

Regards,
Jagadeesh.K.S

Comment 8

[Kathleen Wilson]

Attachment: Safescrypt RCAI Class2 SubCA

Comment 9

[Kathleen Wilson]

Attachment: Safescrypt RCAI Class2 End Entity Test Cert

Comment 10

[Kathleen Wilson]

Attachment: Safescrypt RCAI Class3 SubCA

Comment 11

[Kathleen Wilson]

Attachment: Safescrypt RCAI Class3 End Entity Test Cert

Comment 12

[Kathleen Wilson]

Thank you for the additional information. Please also provide the following.

1) Please point me to the public-facing and audited documentation which summarizes the steps that are taken to verify that the certificate subscriber owns/controls the email address to be included in the certificate. 
https://wiki.mozilla.org/CA:Recommended_Practices#Verifying_Email_Address_Control

2) Please review the Potentiality Problematic Practices (http://wiki.mozilla.org/CA:Problematic_Practices) and identify the ones that apply to these roots. For the items that apply please provide further information.

Comment 13

[Jagadeesh K S]

Hi Team,

  Please find the response for the points 1 & 2.

1. We have some public facing document validation guide for our digital certificate  to our end user. Here it is documented that the client will receive the Pin number and instructions to pick up the certificate.

http://mcacert.safescrypt.com/pdf/Enrolment_Guide.pdf
 
http://www.safescrypt.com/solutions_and_services/digital_certificate_services/individual_certificates/rcai_class_3_certificates_with_org_name_enroll_guide.html

Please find the mail flow for digital certificate issuance.
 
** Certificate applicant chooses to enroll for a particular certificate 
** Completes the enrolment page with all mandatory details along with the Valid Email address of the applicant 
** Once the enrollment is successful the client will receive a confirmation mail on successful enrollment 
** Validation team will validate and issue/reject the enrollment. This information will be sent to the Applicant email id 
** Once the request is approved client will get a mail with a Pin Number and the instructions on how to pickup the digital certificate 


2. Problematic Practices

** SSL and EV certificates -> It is not applicable as we are not issuing from CCA root

** Issuing end entity certificates directly from roots -> We are not issuing any end user certificates directly from root certificate. Our end user certificates are signed by respective intermediate CAs.

** Distributing generated private keys in PKCS#12 files  -> We are not generating any private key on behalf of customer. The key pair is generated at customer system.

** OCSP Responses signed by a certificate under a different root -> We are
not issuing digital certificate with OCSP url

** CRL with critical IDP Extension -> we are issuing full CURL and it is
downloadable

** Generic names for CAs -> We use brand name for CAs.

** Lack of Communication With End Users -> We are accessible through
mail/phone and support/validation team is available.

** Root Count Restrictions -> We have only 1 root from CCA

** Restrict government roots to their Tads -> we have only one Govt root cert
from CCA

** Minimum Key Sizes -> The root key size is 2048, intermediate key size is 2048 and end user key size is 1024. we will be upgrading end user key size from 1024 to 2048 in Jan 2011

** Max Time Between Audits-> External auditors will do annual Audit once in a year and half-yearly audit is internal

** Actual Paperwork -> we are communicating through post or E-Mail as and when
required.

** Improve definition of "independent"; add idea of
"trustworthy" -> For Annual audit, auditors are selected from the
panel listed by CCA 

** Validate all Data included in Certificates -> Validation team will
validate the requested certificate contents based on the validation plan for each respective products.

Comment 14

[Kathleen Wilson]

Attachment: Completed Information Gathering Document

Comment 15

[Kathleen Wilson]

This request has been added to the queue for public discussion:
https://wiki.mozilla.org/CA:Schedule#Queue_for_Public_Discussion

Now that you have a request in the Queue for Public Discussion, you are
directly impacted by the time it takes to work through the queue. The goal is
to have each discussion take about one week. However, that time varies
dramatically depending on the number of reviewers contributing to the
discussion, and the types of concerns that are raised. If no one reviews and
contributes to a discussion, then a request may sit in the discussion for
weeks. When there are not enough people contributing to the discussions ahead
of yours, then your request will sit in the queue longer.

How can you help reduce the time that your request sits in the queue?

You can help by reviewing and providing your feedback in the public discussions
of root inclusion requests, or by asking a knowledgeable colleague to do so.

Please see: https://wiki.mozilla.org/CA:How_to_apply#Public_discussion

Comment 16

[Kathleen Wilson]

This request is near the top of the queue for public discussion:

https://wiki.mozilla.org/CA:Schedule#Queue_for_Public_Discussion

As such, I am re-reviewing the information for this request. Here are my questions.

1) Is the information on the pending page correct regarding this request?
http://www.mozilla.org/projects/security/certs/pending/#SafeScrypt

2) Is there a more recent audit statement?

3) Can the validation of ownership/control of email address to be included in the certificate be delegated to any organizations outside of SafeScrypt?

Comment 17

[Jagadeesh K S]

Attachment: Safescrypt latest audit statement

Comment 18

[Jagadeesh K S]

1. Need more information for point no 1.
2. Latest audit statement has been attached.
3. Validation of email address has not been delegated to any organizations outside of safescrypt

Comment 19

[Kathleen Wilson]

Attachment: Completed Information Gathering Document

If all of the information in the attached document is accurate and current, then this request is ready for public discussion.

https://wiki.mozilla.org/CA:Schedule#Queue_for_Public_Discussion

I'll post a comment in this bug when I start the discussion in the mozilla.dev.security.policy forum.

Comment 20

[Kathleen Wilson]

I am now opening the first public discussion period for this request from SafeScrypt to add the “Safescrypt India-RCAI Class 2 CA-G2” and “Safescrypt India-RCAI Class 3 CA-G2” root certificates and enable the email trust bit for both roots.

For a description of the public discussion phase, see https://wiki.mozilla.org/CA:How_to_apply#Public_discussion

Public discussion will be in the mozilla.dev.security.policy newsgroup and the corresponding dev-security-policy@lists.mozilla.org mailing list.

http://www.mozilla.org/community/developer-forums.html
https://lists.mozilla.org/listinfo/dev-security-policy
news://news.mozilla.org/mozilla.dev.security.policy

The discussion thread is called “SafeScrypt Root Inclusion Request”

Please actively review, respond, and contribute to the discussion.

A representative of SafeScrypt must promptly respond directly in the discussion thread to all questions that are posted.

Comment 21

[Kathleen Wilson]

(In reply to Kathleen Wilson from comment #20)
> I am now opening the first public discussion period for this request from
> SafeScrypt to add the “Safescrypt India-RCAI Class 2 CA-G2” and “Safescrypt
> India-RCAI Class 3 CA-G2” root certificates and enable the email trust bit
> for both roots.
> 
> For a description of the public discussion phase, see
> https://wiki.mozilla.org/CA:How_to_apply#Public_discussion
> 
> Public discussion will be in the mozilla.dev.security.policy newsgroup and
> the corresponding dev-security-policy@lists.mozilla.org mailing list.
> 
> http://www.mozilla.org/community/developer-forums.html
> https://lists.mozilla.org/listinfo/dev-security-policy
> news://news.mozilla.org/mozilla.dev.security.policy
> 
> The discussion thread is called “SafeScrypt Root Inclusion Request”
> 
> Please actively review, respond, and contribute to the discussion.
> 
> A representative of SafeScrypt must promptly respond directly in the
> discussion thread to all questions that are posted.


Messages stopped showing up in Google Groups on August 1, so please use a different news reader, such as Thunderbird.

There is a posting from Kyle Hamilton on August 1 that someone from SafeScrypt should respond to. Please post all responses directly into the discussion.

Comment 22

[Kathleen Wilson]

The Google Groups problem has been resolved.

There is a posting from Kyle Hamilton on August 1 that someone from SafeScrypt should respond to. Please post all responses directly into the discussion.

Someone representing SafeScrypt must reply in the discussion as soon as possible, so we may move forward with the discussion.

Comment 23

[Kathleen Wilson]

Please review the CA Communication that was recently sent, and is available here: https://wiki.mozilla.org/CA:Communications

Please add a comment to this bug to provide your response to the action items listed in the CA Communication. For more information about action items #1 and #3, please see items #6 and #7 of
https://wiki.mozilla.org/CA:Information_checklist#Verification_Policies_and_Practices

Comment 24

[Kathleen Wilson]

Closing, because no response from CA since 2011.