Could MNIS CA be illegal?

September 29, 2014

I found something that intrigues me and I am yet to obtain an answer. From various web articles, radio debates and press releases, we were told that a PKI (Public Key Infrastructure) has been set up to cater the needs for issuing digital certificates used in the new biometric ID card. MNIS CA is how this authority has been called.

To better understand what are digital certificates and how does a PKI operate, one may look at this article by Subramanian Moonesamy. He explained the various acronyms and operations in simple terms.

A quick explanation about this mechanism could be as follows:

ssl-lockLet’s imagine I ask you some sensitive information and you have to send me that in a secure manner. One way would be locking that in a case and post it to me. However, if you send me a case & I don’t have a key to open it, it’s futile. So, what I do is I send you a case plus a key along with my request. Now, you can put the sensitive information in the case, lock it using the key and send me the case back. If the case is lost or stolen during transfer, no one would be able to open it anyway. Once I receive the case I have a complementary key to open it. In simple terms this is how SSL (Secure Sockets Layer) works.

Certificate Authorities are those who certify the authenticity of key holders and guarantee a request as being a trusted one.

Coming back to my initial quest about MNIS CA, I was actually interested to know if that body is a « trusted » and recognized issuer. How does one verify that? Well, in Mauritius we have a Controller of Certification Authorities. As it happens, the ICT Authority of Mauritius also acts as the Controller of Certification Authorities.

Function of the ICT Authority (ICTA) as the CCA of Mauritius Under section 18 (z) of the Information and Communication Technologies Act 2001, the ICT Authority is the Controller of Certification Authorities in Mauritius. The Controller of Certification Authorities as the “Root” Authority certifies the technologies, infrastructure and practices of all the Certification Authorities (CA) licensed/recognised/approved to issue Digital Signature Certificates.
- Quote from www.cca.mu

When I browsed the list of recognized CAs of Mauritius, I was baffled to see only one entry and it wasn’t MNIS CA. This intrigued me. If MNIS CA is not a recognized/registered Certification Authority then how come is it issuing certificates for a sensitive & high profile project such as the biometric ID card. This also baffled me with other questions; who holds the key to decrypt biometric data from the ID Cards? Is MNIS CA operating under legal boundaries? Who runs MNIS CA, Mauritians or foreigners?

In various debates when I was questioned regarding the security of things surrounding MNIS, I specified that the infrastructure is un-healthy. By infrastructure I explained that it does not limit to computers. An infrastructure involves procedures, communication channels, staff personnel and everything else which is involved in the functioning of the process.

Some people tend to think of infrastructure as being just « computers » and would answer they are « highly secured ». Nah! That would be the wrong answer.

In my quest, I sent an email to CCA Mauritius today to have some clarification on the legality of MNIS CA. Even if things are quickly updated at some level, it would leave me in doubt that MNIS CA has been operating for more than a year in illegality, based on the current information available.

Update #1

A friend shared the following piece of information on facebook as stated in the Electronics Act:

No person or body shall act as certification authority in Mauritius unless - (a) he or it holds a valid license issued by the Controller under regulation 5 or 6; (b) in the case of a foreign certification authority, it is issued with a recognition by the Controller under regulation 11 or 12; or in the case of a public sector agency, it is issued with an approval under section 15 or 16.

Upadte #2 - 7 Oct 2014

Been a week and still no answer from the Controller of Certification Authorities of Mauritius. In a bid to get an answer, I have forwarded the request to ICTA. It's been 24 hours, yet no reply. An article from the PMO website refers cabinet decisions of 17 April (year not indicated) and mentions the following (paragraph 8): « Cabinet has agreed to the introduction into the National Assembly of the Electronic Transactions (Amendment) Bill which amends the Electronic Transactions Act to enable the Information and Communication Technologies Authority to discharge the functions and exercise the powers of the Controller of Certification Authorities, an entity responsible for regulating Certifying Authorities within the National Public Key Infrastructure for Mauritius. The Certifying Authorities provide policy and technical framework for secure and trustworthy electronic transactions through systematic and diligent issuance, management and revocation of digital certificates. Mauritius would make use of the National Public Key Infrastructure for the first time with the smart card based Mauritius National Identity Card. The holder of the new identity card would be able to generate his/her digital signature for use on electronic versions of documents. »

The following documents provide additional reference:

Electronic Transactions (Certification Authorities) Regulations 2010, source ICTA. The Electronics Transactions (Amendment) Act 2009, source ICTA.

- The National Identity Card (Miscellaneous Provisions) Bill Voted yesterday - Mauritius National ID Card - data safety - Mauritius National ID Card - features

Image source: coasthost.net.au