Re: CCA Mauritius Root Certificate from S Moonesamy on 2015-12-08 (Mauritius Internet Users mailing list)

From: S Moonesamy <sm+mu_at_elandsys.com>
Date: Tue, 08 Dec 2015 13:05:23 -0800

Hi Nadim, Ish,
At 10:09 08-12-2015, Ish Sookun wrote:
>The Root CA of India was at some point being discussed [1] to be
>included in Mozilla Firefox browser's bundled list [2] of CAs.
>Luckily, the major security blunder that happened in 2014 stopped
>the inclusion.

Thanks for the above. I see that the comments from the Chief
Operations Manager, NICCA was not convincing as the Root Certificate
CA was not approved.

>Now, if the Root CA of Mauritius expresses its wish to be included
>in CA list of Firefox. What will be the implications?

In my opinion, the request from the Root CA of Mauritius will be
rejected as the CCA does not understand the technical
standards. There will also be a public discussion about the
policy. Would the CCA be convincing in that public discussion?

At 10:24 08-12-2015, Nadim Bundhoo wrote:
>What is this certificate about? For example, as a newbie, what need
>I know about it? How is CCA Mauritius different from others?

There are certificates included by default in your web browser so
that the web browser can verify that you connected to the "right"
HTTPS web site. By adding the Root CA of Mauritius to your web
browser, you are trusting the CCA to verify whether your web browser
is connected to the "right" HTTPS web site.

The difference between the Root CA of Mauritius and other Root CAs is
that the Mauritian CA is not recognized as a trusted CA by any major
web browser. By default, people in Mauritius do not consider the
Root CA for Mauritius as valid.

>If I understand well, Microsoft is aware of improperly issued SSL
>certificates by NIC India. What are the implications of issuing such
>improper certificates?

The implications are that it affects the credibility of NIC India and
that users who pay attention to security would no longer trust
certificates issues by that CA.

>Since we copy everyone (Singapore, X, Y, Z, India), is there a
>possibility that CCA Mauritius copies NIC India and issues improper
>certificates, knowingly or unknowingly?

Yes.

> Does this means that certificates issued by CCA Mauritius can be
> used to spoof contents or perform phishing attacks?

Yes.

Regards,
S. Moonesamy
Received on Tue Dec 08 2015 - 21:05:57 PST

This archive was generated by hypermail 2.3.0 : Tue Dec 08 2015 - 21:09:01 PST