I'll add to this. We still do not know whether MNIS was authorised by the
CCA to act as a certification authority. As far as I recall, all our emails
to the CCA asking to clarify whether MNIS CA was recognised to operate as a
CA were not answered.
At the time of writing, only eMudhra is listed as a recognised CA on
https://www.cca.mu/ca_mru.htm
On Sat, Sep 19, 2015 at 6:23 PM, Ish Sookun <ish.sookun_at_lsldigital.mu>
wrote:
> Hello SM,
>
> On 09/19/2015 11:00 AM, S Moonesamy wrote:
>
>>
>> Should I be reassured when I read a statement by an anonymous person
>> commenting about security? :-) I would like to read the opinion of that
>> person about http://www.elandsys.com/~sm/incorrect-standard-cca.html
>>
>>
> No. I will not pay attention to what an anonymous expert has to say. It is
> not credible.
>
>
> I'll comment about the topic. What happens if a person's National
>> Identity Card is lost or stolen? The ID card contains personal data.
>> It becomes a problem for that person if that ID card is misused by
>> another person. How would the person prove that he or she did not use
>> the card for illegal purposes?
>>
>>
> A lot of people think that if some "data" is encrypted it becomes totally
> secure. Well, one might think that as security until the decryption key
> does not leak. In the context of the National Identity Card, we need to
> realise that once a person's biometric data have been compromised and
> misused, it becomes complicated to prove who committed a certain
> transaction using the biometric data.
>
> Are our local teams ready and equipped to investigate such incidents
> should they arise?
>
> I quote from an article on orange.mu (
> http://www.orange.mu/kinews/dossiers/societe/418048/les-donnees-biometriques-des-nouvelles-cartes-d-rsquo-identite-nationale-ne-seront-pas-stockees.html
> ):
>
> "Il s’agit en fait un système de vérification (One to one)
> contrairement à l’ancien système, (One to many)."
>
> If I recall well, during the two cases against the ID Card in the Supreme
> Court it was said that the card readers will not do any checks on the
> centralized database. What should I understand with "contrairement à
> l’ancien système, (One to many)"?
>
> In the same article the following is mentioned:
>
> "Selon les techniciens travaillant pour le compte des centres
> d’enregistrements, lorsque les empreintes digitales sont prises, cela
> requiert un certain nombre de temps pour les convertir en des codes pour
> être placés dans la nouvelle carte d’identité."
>
> According to the technicians the conversion of fingerprint images into
> minutiae requires a certain amount of time and that cannot be done on the
> premises. As per the article the fingerprint images are then deleted to
> conform with the Supreme Court judgment.
>
> The photo of a person is "biometric data", yet they are stored in the
> database. The fingerprint minutiae are "biometric data", yet they are
> stored in the ID Card.
>
> The following is the Ministry of Information and Communication
>> Technology's reply to an issue raised in a report of the Director of
>> Audit [2]:
>>
>> "The use of DSCs was compromised due to policy decision of the change
>> in the domain
>> name from gov.mu to govmu.org."
>>
>> Does that policy decision also affect the National Identity Card? I
>> don't know.
>>
>>
> In my opinion yes, it affects. We were told the MNIC was a Certification
> Authority and was responsible to issue digital certificates in the National
> Identity Card project. We're now told that the National Identity Card
> Centre (NICC) has replaced the MNIC. What about the Certification Authority?
>
> Regards,
>
> --
> Ish Sookun
>
>
>
Received on Sat Sep 19 2015 - 22:00:24 PST