On Thu, Oct 11, 2018 at 02:36:18PM -0700, Wayne Thayer via dev-security-policy wrote: > Nick - I expect an emSign representative to respond to all of your > questions, but their information request indicates that they have been > operating the Indian Government Root for more than 10 years and have issued > over 35 million certificates: > https://bug1442337.bmoattachments.org/attachment.cgi?id=8955223
The phrasing in the paragraph (I think) you're referencing is ambiguous: > eMudhra has been a licensed CA under Controller of Certifying Authorities > which operates the Indian Government Root for more than 10 years I'm not sure whether it's eMudhra or the "Controller of Certifying Authorities" which has been operating the Indian Government Root for more than 10 years. At any rate, I can't seem to find any information about this "Indian Government Root", how it works, what it's used for, and what its criteria are, and so it's a bit hard to tell whether it's anything to be particularly proud of. If eMudhra *have* been in the CA business for 10 years, but they still managed to produce a CPS with the extensive list of "Bad"-grade practices you enumerated in your opening e-mail, that's... not encouraging. - Matt _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy