Nick - I expect an emSign representative to respond to all of your questions, but their information request indicates that they have been operating the Indian Government Root for more than 10 years and have issued over 35 million certificates: https://bug1442337.bmoattachments.org/attachment.cgi?id=8955223
- Wayne On Thu, Oct 11, 2018 at 2:07 PM Nick Lamb via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On Thu, 11 Oct 2018 13:06:46 -0700 > Wayne Thayer via dev-security-policy > <dev-security-policy@lists.mozilla.org> wrote: > > > This request is for inclusion of these four emSign roots operated by > > eMudhra in bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1442337 > > I would like to read more about eMudhra / emSign. > > I have never heard of this entity before, perhaps because they're > Indian (if I understand correctly) but perhaps because they're just > entirely new to this business. > > Of course just being new isn't inherently disqualifying, but it'd be > good to understand things like: > > - Who (human individuals) is behind this outfit, are there people we've > dealt with before in any key roles? (For example I hope we can agree > that individuals from previously distrusted CAs as leadership would > be a potential red flag) Are there people involved who've done this or > something similar before? > > - Does this entity or a legally related entity already operate a > business in this space that has a record we can look at such as: > Indian RA for another Certificate Authority, CA in another PKI, or > more distantly somewhat similar businesses such as making identity > documents, or payment card systems. > > - How did they come to decide to set up a new root CA for the Web PKI? > > Running a trustworthy CA is pretty hard, so I am at least a little bit > sceptical of the idea that people I've never hard of can wake up one > morning and decide "Hey let's run a CA" and do a good job, whether in > India, Indianapolis or Israel. > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
