September 29, 2014
I found something that intrigues me and I am yet to obtain an answer. From various web articles, radio debates and press releases, we were told that a PKI (Public Key Infrastructure) has been set up to cater the needs for issuing digital certificates used in the new biometric ID card. MNIS CA is how this authority has been called.
To better understand what are digital certificates and how does a PKI operate, one may look at this article by Subramanian Moonesamy. He explained the various acronyms and operations in simple terms.
A quick explanation about this mechanism could be as follows:
Let’s imagine I ask you some sensitive information and you have to send me that in a secure manner. One way would be locking that in a case and post it to me. However, if you send me a case & I don’t have a key to open it, it’s futile. So, what I do is I send you a case plus a key along with my request. Now, you can put the sensitive information in the case, lock it using the key and send me the case back. If the case is lost or stolen during transfer, no one would be able to open it anyway. Once I receive the case I have a complementary key to open it. In simple terms this is how SSL (Secure Sockets Layer) works.
Certificate Authorities are those who certify the authenticity of key holders and guarantee a request as being a trusted one.
Coming back to my initial quest about MNIS CA, I was actually interested to know if that body is a « trusted » and recognized issuer. How does one verify that? Well, in Mauritius we have a Controller of Certification Authorities. As it happens, the ICT Authority of Mauritius also acts as the Controller of Certification Authorities.
When I browsed the list of recognized CAs of Mauritius, I was baffled to see only one entry and it wasn’t MNIS CA. This intrigued me. If MNIS CA is not a recognized/registered Certification Authority then how come is it issuing certificates for a sensitive & high profile project such as the biometric ID card. This also baffled me with other questions; who holds the key to decrypt biometric data from the ID Cards? Is MNIS CA operating under legal boundaries? Who runs MNIS CA, Mauritians or foreigners?
In various debates when I was questioned regarding the security of things surrounding MNIS, I specified that the infrastructure is un-healthy. By infrastructure I explained that it does not limit to computers. An infrastructure involves procedures, communication channels, staff personnel and everything else which is involved in the functioning of the process.
Some people tend to think of infrastructure as being just « computers » and would answer they are « highly secured ». Nah! That would be the wrong answer.
In my quest, I sent an email to CCA Mauritius today to have some clarification on the legality of MNIS CA. Even if things are quickly updated at some level, it would leave me in doubt that MNIS CA has been operating for more than a year in illegality, based on the current information available.
A friend shared the following piece of information on facebook as stated in the Electronics Act:
Upadte #2 - 7 Oct 2014
The following documents provide additional reference:
- The National Identity Card (Miscellaneous Provisions) Bill Voted yesterday - Mauritius National ID Card - data safety - Mauritius National ID Card - features