Dear Mr Luckwa,
Thank you for your reply. On reading your reply I noticed that my
question about whether it is technically possible for the public key
certificate of the CCA of Mauritius to be used to enable the
interception and decryption of web (HTTPS) traffic was not clear.
Please assume that I have added CCA Mauritius Root Certificate (
https://www.cca.mu/rootcert.htm ) in my web browser. At some point
in future the ICT Authority requests a certificate for
https://www.facebook.com from the Controller of Certification
Authorities or a Certification Authority which is affiliated with the
Government of Mauritius. I do not believe that the Controller of
Certification Authorities or a Certification Authority which is
affiliated with the Government of Mauritius will decline that
request. My opinion is based on the following:
(a) There is a lack of transparency [1][2] in the actions of the
ICT Authority.
(b) The press release at
https://www.cca.mu/press_pki_06122010.htm states
that there is a Memorandum of Understanding between the Root
Certification
Authority of India and Mauritius. In July 2014, the National
Informatics
Centre "improperly issued SSL certificates that could be used
in attempts
to spoof content, perform phishing attacks, or perform man-in-the-middle
attacks" [3].
I welcome any feedback which the Controller of Certification
Authorities might have about the above.
Regards,
S. Moonesamy
1.
http://www.elandsys.com/~sm/mu-mnis-ca.html
2.
http://www.lexpress.mu/article/maurice-censure-le-site-communautaire-%C2%ABfacebook%C2%BB
3.
https://technet.microsoft.com/en-us/library/security/2982792
Received on Tue Dec 08 2015 - 17:39:27 PST