On Friday, October 12, 2018 at 6:33:53 AM UTC+8, Matt Palmer wrote: > On Thu, Oct 11, 2018 at 02:36:18PM -0700, Wayne Thayer via > dev-security-policy wrote: > > Nick - I expect an emSign representative to respond to all of your > > questions, but their information request indicates that they have been > > operating the Indian Government Root for more than 10 years and have issued > > over 35 million certificates: > > https://bug1442337.bmoattachments.org/attachment.cgi?id=8955223 > > The phrasing in the paragraph (I think) you're referencing is ambiguous: > > > eMudhra has been a licensed CA under Controller of Certifying Authorities > > which operates the Indian Government Root for more than 10 years > > I'm not sure whether it's eMudhra or the "Controller of Certifying > Authorities" which has been operating the Indian Government Root for more > than 10 years. At any rate, I can't seem to find any information about this > "Indian Government Root", how it works, what it's used for, and what its > criteria are, and so it's a bit hard to tell whether it's anything to be > particularly proud of.
Controller of Certifying Authorities is a government body defined under Indian Information Technology Act. We operate under the license of them. The work we have done so far is more on client certificates. (www.cca.gov.in) We have been partner for Indian Tax system (Income Tax and GST) and also the company law filings to enable paperless filings through trusted client certificates. The CA Operation undergoes stringent audit measures imposed by the Government on annual basis, in addition to regular internal audits. emSign are the new roots intended for issuance of TLS, Code Sign (and client) certificates. This has undergone Webtrust audits by BDO.The roots are currently trusted in Microsoft root program. In progress in Mozilla, Apple and others. > > If eMudhra *have* been in the CA business for 10 years, but they still > managed to produce a CPS with the extensive list of "Bad"-grade practices > you enumerated in your opening e-mail, that's... not encouraging. > > - Matt _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
