On Friday, October 12, 2018 at 5:07:55 AM UTC+8, Nick Lamb wrote: > On Thu, 11 Oct 2018 13:06:46 -0700 > Wayne Thayer via dev-security-policy > <dev-security-policy@lists.mozilla.org> wrote: > > > This request is for inclusion of these four emSign roots operated by > > eMudhra in bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1442337 > > I would like to read more about eMudhra / emSign.
I'm from eMudhra. There is more information available about us at www.emudhra.com (corporate website) and www.e-mudhra.com (Indian CA website). > > I have never heard of this entity before, perhaps because they're > Indian (if I understand correctly) but perhaps because they're just > entirely new to this business. > > Of course just being new isn't inherently disqualifying, but it'd be > good to understand things like: > > - Who (human individuals) is behind this outfit, are there people we've > dealt with before in any key roles? (For example I hope we can agree > that individuals from previously distrusted CAs as leadership would > be a potential red flag) Are there people involved who've done this or > something similar before? > > - Does this entity or a legally related entity already operate a > business in this space that has a record we can look at such as: > Indian RA for another Certificate Authority, CA in another PKI, or > more distantly somewhat similar businesses such as making identity > documents, or payment card systems. > > - How did they come to decide to set up a new root CA for the Web PKI? > We have been operating PKI since last 10+ years in India. But this was not a complete Webtrust audited setup. Rather, it is under Government of India. We are also chair of India PKI Forum, as well as vice chair of Asia PKI Consortium working on PKI regulation, adoption and awareness, predominantly for client certificates. We also do TLS certificates under India, but limited for a few government requirements. We also work with several PKI implementation and operation in Africa, Middle east, etc. emSign is an initiative with our roots (new) audited under Webtrust, and intends to issue TLS in India and Rest of the World. This setup is separate from our Indian CA setup. > Running a trustworthy CA is pretty hard, so I am at least a little bit > sceptical of the idea that people I've never hard of can wake up one > morning and decide "Hey let's run a CA" and do a good job, whether in > India, Indianapolis or Israel. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
