Re: CCA Mauritius Root Certificate from Nadim Bundhoo on 2015-12-08 (Mauritius Internet Users mailing list)

From: Nadim Bundhoo <nadim_at_devisprox.com>
Date: Tue, 8 Dec 2015 22:24:33 +0400

Hello SM,

On 8 December 2015 at 21:37, S Moonesamy <sm+mu_at_elandsys.com> wrote:

> Dear Mr Luckwa,
>
> Thank you for your reply. On reading your reply I noticed that my
> question about whether it is technically possible for the public key
> certificate of the CCA of Mauritius to be used to enable the interception
> and decryption of web (HTTPS) traffic was not clear.
>
> Please assume that I have added CCA Mauritius Root Certificate (
> https://www.cca.mu/rootcert.htm ) in my web browser.

What is this certificate about? For example, as a newbie, what need I know
about it? How is CCA Mauritius different from others?

> At some point in future the ICT Authority requests a certificate for
> https://www.facebook.com from the Controller of Certification Authorities
> or a Certification Authority which is affiliated with the Government of
> Mauritius. I do not believe that the Controller of Certification
> Authorities or a Certification Authority which is affiliated with the
> Government of Mauritius will decline that request. My opinion is based on
> the following:
>
> (a) There is a lack of transparency [1][2] in the actions of the ICT
> Authority.
>
> (b) The press release at https://www.cca.mu/press_pki_06122010.htm
> states
> that there is a Memorandum of Understanding between the Root
> Certification
> Authority of India and Mauritius. In July 2014, the National
> Informatics
> Centre "improperly issued SSL certificates that could be used in
> attempts
> to spoof content, perform phishing attacks, or perform
> man-in-the-middle
> attacks" [3].
>
> I welcome any feedback which the Controller of Certification Authorities
> might have about the above.
>

If I understand well, Microsoft is aware of improperly issued SSL
certificates by NIC India. What are the implications of issuing such
improper certificates?

Since we copy everyone (Singapore, X, Y, Z, India), is there a possibility
that CCA Mauritius copies NIC India and issues improper certificates,
knowingly or unknowingly? Does this means that certificates issued by CCA
Mauritius can be used to spoof contents or perform phishing attacks?

Regards,
Nadim Attari
Received on Tue Dec 08 2015 - 18:24:48 PST

This archive was generated by hypermail 2.3.0 : Tue Dec 08 2015 - 18:27:01 PST