Closed
Bug 562764
Opened 14 years ago
Closed 9 years ago
Add IDRBT root certificate
Categories
(CA Program :: CA Certificate Root Program, task)
CA Program
CA Certificate Root Program
Tracking
(Not tracked)
RESOLVED
WONTFIX
People
(Reporter: kathleen.a.wilson, Assigned: kathleen.a.wilson)
References
Details
(Whiteboard: Information incomplete)
Attachments
(7 files)
IDRBT (http://idrbtca.org.in/) http://cca.gov.in/rw/pages/licensed_ca_idrbt.en.do Organization Type: Bank/Semi-Government Customer Base: Banks CPS: http://idrbtca.org.in/Download/IDRBT-CPS-v3.1.pdf Details: https://bugzilla.mozilla.org/attachment.cgi?id=436980 This is a sub-CA of the India CCA root certificate. CCA submitted a request for inclusion of the root certificate in bug #557167. Upon reviewing the request I found that the hierarchy is very large: https://bugzilla.mozilla.org/show_bug.cgi?id=557167#c15 The approach that we are going to take with this CA hierarchy is as follows. 1) There will be a separate bug for each of the 7 intermediate CAs to be separately evaluated for inclusion as a trust anchor in NSS. 2) After all 7 of the intermediate CAs have been approved/included, then I will proceed with the process of evaluating the CCA root certificate for inclusion in NSS. 3) If the CCA root certificate is approved for inclusion in NSS, then the 7 intermediate CAs will be removed from NSS at the same time that the CCA root is included.
Assignee | ||
Comment 1•14 years ago
|
||
Beginning Information Gathering and Verification: https://wiki.mozilla.org/CA:How_to_apply#Information_gathering_and_verification
Status: NEW → ASSIGNED
Assignee | ||
Updated•14 years ago
|
Whiteboard: Information incomplete
Assignee | ||
Comment 2•14 years ago
|
||
The attached document summarizes the information that has been gathered and verified. The items highlighted in yellow indicate where further information or clarification is needed. Please review the full document for accuracy and completeness.
Comment 3•14 years ago
|
||
A letter from Auditor is attached
Comment 4•14 years ago
|
||
A screen shot of security certificate is attached
Comment 5•14 years ago
|
||
1. Test Website: Invalid Security Certificate CA E-mail address Alias: cahelp@idrbt.ac.in https://services.idrbtca.org.in The digital certificate has been issued to services.idrbtca.org.in as per the screen shot enclosed. 2. CRL URL : http://idrbtca.org.in/crl.crl CRL Issuance frequency for end-entity certificates is available in Section 4.6.9 of CPS V 3.1 (http://idrbtca.org.in/Downloads/IDRBT CA CPS-v3.1) OCSP Responder URL : None; OCSP is currently not provided 3.Audit: Scanned copy of the Letter from the External Auditor (CCA Approved auditor) is enclosed for reference. 4. Domain Name ownership/control The official authorized by the organization to apply for SSL Certificate should enclose the proof of registration of domain name along with the application form in order to get a digital certificate for the domain name. 5. E-mail address ownership/control E-mail verification is done by sending user id and password across e-mail to the end-user to enable submission of Digital certificate Request to IDRBT. This ensures that the official who has requested for digital certificate also has the ownership/control over the e-mail address. Subscribers are personally and solely responsible for the confidentiality and integrity of their private keys. 6. Potentially problematic practices Distribution of generated private keys in PKCS#12 files The file containing the private key, public key and the digital certificate can be downloaded by logging in to the Secured site of IDRBT using the user id and password provided to the end-entity. The file is also protected by a password. 7. Issuing SSL Certificates for internal domains: SSL Certificates have NOT been issued for internal domains SO FAR. OCSP Responses signed by a certificate under a different root Not applicable. OCSP currently not provided. CRL with critical CIDP Extension CRL is a full CRL and there is/are no partitioned CRL(s) that is/are identified by the presence of a CRL Issuing Distribution Point (CIDP) Extension flagged as critical.
Assignee | ||
Comment 6•14 years ago
|
||
When I try to browse to https://services.idrbtca.org.in in my Firefox browser (IDRBT CA has been imported into my browser), I get the error: services.idrbtca.org.in uses an invalid security certificate. The certificate is only valid for 10.0.65.60 (Error code: ssl_error_bad_cert_domain) When I inspect the cert I don't see a “Certificate Subject Alt Name” Extension. Firefox expects to find all DNS names in the SAN. Perhaps this is the problem. Have you tested this in a Firefox browser?
Comment 7•13 years ago
|
||
Now IDRBT has changed their certificate and https://services.idrbtca.org.in is accessible.
Assignee | ||
Comment 8•13 years ago
|
||
The attached document summarizes the information that has been gathered and verified. The items highlighted in yellow indicate where further information or clarification is still needed.
Comment 9•11 years ago
|
||
IDBRT has updated its CPS to suit Mozilla's requirements. The updated CPS is being attached. Prianceu Pandey
Comment 10•11 years ago
|
||
The comments/responses from IDBRT on potentially problematic practices is being attached. -Prianceu Pandey
Assignee | ||
Comment 11•11 years ago
|
||
I was trying to work on this today, but I can't seem to connect to the IDRBT website, because the connection attempt keeps timing out. Are the following URLs still correct? IDRBT Repository: https://services.idrbtca.org.in/ IDRBT CPS (English): http://idrbtca.org.in/CPS.html Test website: https://services.idrbtca.org.in/ Please add a comment in this bug to provide IDRBT's answers to the action items listed in Mozilla's January CA Communication: https://wiki.mozilla.org/CA:Communications#January_10.2C_2013 In regards to the attachment in Comment #10, there are a few items that said: "Recommend modification in the CPS..." Does that mean that I should be able to find those updates in the current CPS on your website?
Comment 12•11 years ago
|
||
The website is currently accessible at my place. Please let us know in case you face any problems. Yes, the modified CPS (ver 3.2) is available on IDBRT's website. PS: I donot represent IDBRT , but I work for the Office of Controller of Certifying Authorities(CCA) , India . Someone from IDBRT will respond shortly to further queries here. Thanks and Regards, Prianceu Pandey.
Assignee | ||
Comment 13•11 years ago
|
||
I just tried again. Connection timed out for IDRBT Repository: https://services.idrbtca.org.in/ Test website: https://services.idrbtca.org.in/ I was able to connect to IDRBT CPS (English): http://idrbtca.org.in/CPS.html And download CPS version 3.2.
Comment 14•11 years ago
|
||
Dear Sir/Madam, The https://services.idrbtca.org.in will be accessiable soon.Shortly the same will be updated here. (In reply to Kathleen Wilson from comment #6) > When I try to browse to https://services.idrbtca.org.in in my Firefox > browser (IDRBT CA has been imported into my browser), I get the error: > > services.idrbtca.org.in uses an invalid security certificate. > The certificate is only valid for 10.0.65.60 > (Error code: ssl_error_bad_cert_domain) > > When I inspect the cert I don't see a “Certificate Subject Alt Name” > Extension. Firefox expects to find all DNS names in the SAN. Perhaps this is > the problem. Have you tested this in a Firefox browser?
Comment 15•11 years ago
|
||
https://services.idrbtca.org.in is accessiable now. Kindly check and do let me know if this not reachable. For your information- I am from IDRBT CA,please drop me mail on(skjha@idrbt.ac.in or cahelp@idrbt.ac.in) or update this ticket for any assistance from IDRBT CA side.
Assignee | ||
Comment 16•11 years ago
|
||
(In reply to Sudhir Kumar Jha from comment #15) > https://services.idrbtca.org.in is accessiable now. Kindly check and do let > me know if this not reachable. Now I get a much quicker response, but I get the error: "The certificate is not trusted because no issuer chain was provided." https://wiki.mozilla.org/CA:Information_checklist#Technical_information_about_each_root_certificate "Intermediate CA certificates are expected to be distributed to the certificate subjects (the holders of the private keys) together with the subjects' own certificates. Those subject parties (e.g. SSL servers) are then expected to send out the intermediate CA certificates together with their own certificates whenever they are asked to send out their certificates. That is required by SSL/TLS. Certificate authorities MUST advise their subscribers that all intermediate certificates should be installed in the servers containing the dependent subscriber certificates."
Comment 17•11 years ago
|
||
The certificate with complete chain has been deployed over https://services.idrbtca.org.in . Kindly check and confirm the same.Do let me know if issue persist anymore.
Comment 18•11 years ago
|
||
The certificate with complete chain has been deployed over https://services.idrbtca.org.in . Kindly check and confirm the same.Do let me know if issue persist anymore.
Assignee | ||
Comment 19•11 years ago
|
||
My current notes indicate that this inclusion request is for the 2007 cert: http://idrbtca.org.in/Download/IDRBTCA2007.cer Should I change my notes to have this inclusion request be for the 2011 cert instead? http://idrbtca.org.in/Download/CA_Certificate_SHA2.cer
Comment 20•11 years ago
|
||
Yes you can. http://idrbtca.org.in/Download/CA_Certificate_SHA2.cer will be the right one for inclusion.
Assignee | ||
Comment 21•11 years ago
|
||
The items highlighted in yellow indicate where further information is needed. Primarily: current audit statement, compliance with the Baseline Requirements, OCSP, and response to the recent CA Communication.
Comment 22•11 years ago
|
||
Reply for attachment 750128 [details](attach the document with sticky note on Yellow marked item) CRL: As per the latest IDRBT CA CPS-v3.2 -- The IDRBT CA shall update and issue the CRL whenever certificates are revoked or suspended or on the first working day of each month or 30 days after the last update or as and when necessary, whichever occurs first as per CCA guidelines But IDRBT CA will make every effort to publish new CRL in every last working day of the week. OCSP:We don't have any OSCP in place. We use CRL. (Clarrification: Do we need to have this to have our certificate incorporated in Mozilla browser ?) Comments in line for compliance with the Baseline Requirements mentioned in https://wiki.mozilla.org/CA:Communications#January_10.2C_2013 1.Review the proposed changes to Mozilla’s CA Certificate Policy, and assess the impact of those changes to your CA operations CA Stand: a) The proposed updates to Mozilla’s CA Certificate Policy do not require further change to our CA operations, because our CA operations already comply with the proposed policy. 2) Confirm compliance with the CA/Browser Forum’s Baseline Requirements. CA Stand: a) Our CA operations conform to the CA/Browser Forum’s Baseline Requirements for issuance of SSL certificates, and our next audit will include verification of this conformance. 3)Scan your certificate database for certificates that incorrectly have basicConstraints with the cA boolean set to true, or are incorrectly enabled with the keyCertSign Key Usage bit. CA Stand: what you mean by cA boolean set to true in terms of x509.v3 certificate.Please elobrate this.(indeed by reading the https://blog.mozilla.org/security/2013/01/03/revoking-trust-in-two-turktrust-certficates/ seems not applicable to IDRBT CA ). 4) Deprecate issuance of SSL certificates containing a Reserved IP Address or Internal Server Name IDRBT CA Stand: We don't have any such occurrence in past as well as present for issuance of SSL certificate for Reserved IP address but we issuse over Internal Server name(excluding domain names with extension .int). 5) For each root certificate or trust anchor you control that is included in Mozilla’s CA Certificate Program and has the SSL trust bit enabled by default, please provide a URL to a website (which may be a test site) whose SSL certificate chains up to it IDRBT CA Stand: As per the guidlines stipulated by the Office of the Controller of Certifying Authorities, New Delhi, issuance of SHA1 certificates has been stopped with effect form 1st Jan 2012. The use of SHA2 SSL certificate for protecting the web sites leads to download compatibility issues with older OS used by clients. Audit Statment for year 2013 will be uploaded Shortly.
Assignee | ||
Comment 23•11 years ago
|
||
(In reply to Sudhir Kumar Jha from comment #22) Please carefully review the CA/Browser Forum's Baseline Requirements (BR) document, which is available here: https://www.cabforum.org/documents.html Enablement of the websites (SSL/TLS) trust bit for a root certificate in Mozilla's program requires compliance with the BRs. > CRL BR #13.2.2: If the CA publishes a CRL, then the CA SHALL update and reissue CRLs at least once every seven days, and *the value of the nextUpdate field MUST NOT be more than ten days beyond the value of the thisUpdate field* Also, please let CCA know that their CRL does not import correctly into Firefox. http://cca.gov.in/rw/resources/CCAIndia2011Latest.crl -- Error: Code:ffffe009 ffffe009 is equivalent to -8183, “Security library: improperly formatted DER-encoded message.” It means that the reply contained anything other than a valid DER-encoded CRL. Typical Resolution: Change encoding from PEM to DER. > > OCSP:We don't have any OSCP in place. We use CRL. (Clarrification: Do we > need to have this to have our certificate incorporated in Mozilla browser ?) Yes. BR #13.2.2: The CA SHALL update information provided via an Online Certificate Status Protocol at least every four days. OCSP responses from this service MUST have a maximum expiration time of ten days ... Effective 1 January 2013, the CA SHALL support an OCSP capability using the GET method for Certificates issued in accordance with these Requirements. > 3)Scan your certificate database for certificates that incorrectly have > basicConstraints with the cA boolean set to true, or are incorrectly enabled > with the keyCertSign Key Usage bit. > > CA Stand: what you mean by cA boolean set to true in terms of x509.v3 > certificate.Please elobrate this.(indeed by reading the > https://blog.mozilla.org/security/2013/01/03/revoking-trust-in-two-turktrust- > certficates/ seems not applicable to IDRBT CA ). While I agree that the part about subCA certs doesn't apply to IDRBT, please see the rest of #3: While you are scanning your certificate databases ... please also check for compliance with the following practices. - All certificates with basicConstraints:CA:TRUE have the basicConstraints marked critical. - All intermediate certificates with basicConstraints:CA:TRUE have cRLDistributionPoints containing a well-formed and compliant URL that returns a valid CRL. - All certificates that share a common issuer name contain unique serial numbers (independent of certificate expiration). - All end-entity certificates with RSA key sizes smaller than 2048 bits expire no later than December 2013. - Certificates are not issued with sequential serial numbers. If it is found that certificates have been issued with contiguous serial numbers, then the subject of those certificates must contain unpredictable data that is not under the control of the certificate subscriber. Thanks, Kathleen
Assignee | ||
Comment 24•9 years ago
|
||
As per information provided by CCA India, there is a new CA hierarchy and inclusion of certificates in the old CA hierarchy is no longer requested.
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → WONTFIX
Updated•7 years ago
|
Product: mozilla.org → NSS
Updated•2 years ago
|
Product: NSS → CA Program
You need to log in
before you can comment on or make changes to this bug.
Description
•