This request is to include the “Hellenic Academic and Research
Institutions RootCA 2015” and “Hellenic Academic and Research
Institutions ECC RootCA 2015” root certificates, and enable the Websites
and Email trust bits for both roots.
Hellenic Academic and Research Institutions Certification Authority
(HARICA) is a non-profit organization serving the Greek Academic and
Research Community; operated by the Greek Universities Network
(www.gunet.gr).
The request is documented in the following bug:
https://bugzilla.mozilla.org/show_bug.cgi?id=1201423
And in the pending certificates list:
https://wiki.mozilla.org/CA:PendingCAs
Summary of Information Gathered and Verified:
https://bugzilla.mozilla.org/attachment.cgi?id=8697399
Noteworthy points:
* The primary documents are the CPS; provided in Greek and English
Document Repository: http://www.harica.gr/procedures
CPS: http://www.harica.gr/documents/CPS-EN.pdf
* CA Hierarchy:
** The new roots will be cross-signed by “Hellenic Academic and Research
Institutions RootCA 2011” to assist the rollover.
** “Hellenic Academic and Research Institutions RootCA 2011” currently
has 20 internally operated and technically-constrained subCAs.
There is currently one externally-operated subordinate CA:
- Aristotle University of Thessaloniki
- http://www.auth.gr, http://it.auth.gr
- http://www.pki.auth.gr/certs/AuthCentralCAR3.pem, (to be
decommissioned by Sep 2015)
- http://www.pki.auth.gr/certs/AuthCentralCAR4.pem
- http://www.pki.auth.gr/certs/AuthCentralCAR5.pem
- AuthCentralCAR4 and AuthCentralCAR5 issue sub-CAs and end user/server
certificates
- http://www.pki.auth.gr/documents/CPS-EN.pdf
- Sections in CP/CPS demonstrating the measures to verify:
-- Ownership of domain name: 3.2.2, 3.2.3.2 and 3.2.5
-- Ownership of e-mail: 3.2.2, 3.2.3.1 and 3.2.5
- For all certificates chaining up to these Sub-CA, both the
organization and the ownership/control of the domain are verified.
- This CA is currently operated by the same administration team as the
HARICA Root CA.
- OCSP: http://ocsp.pki.auth.gr
- Audit: http://pki.auth.gr/documents/AUTH-ETSI_CERTIFICATE_AUTH_W_ANNEX
** “Hellenic Academic and Research Institutions ECC RootCA 2015”
currently has the following internally-operated subCAs:
- Hellenic Academic and Research Institutions ECC AdminCA R1
We plan to issue the following internally operated subCAs for specific
usages:
- ECC Client Authentication and SecureEmail
- ECC Code Signing
- ECC SSL (DV/OV) Server Certificates
There are currently no externally operated subCAs issued from this root.
According to our CP/CPS, in case of externally operated CAs, they will
either be technically constrained or publicly disclosed and audited.
* This request is to enable the Websites and Email trust bits for both
root certs. HARICA is not requesting EV treatment.
** CPS section 3.2.3.1: HARICA central RA uses three methods for e-mail
ownership and control verification:
- The first method uses simple e-mail verification. The user enters the
e-mail address at the initial certificate request form and a
verification e-mail is sent to the user with a link to a unique web
page. After following this link, an e-mail is sent to the institution's
network operation center mail administrator that requires an approval
based on the full name entered by the user and the user's email. This
approval requires the identification of the user with his/her physical
presence and an acceptable official document.
- The second method uses an LDAP server. The user enters the personal
e-mail address at the initial certificate request form and the
corresponding password. This information is verified against the
institution's LDAP server. If the verification is successful, the RA
queries the real name of the user and creates the certificate request.
In order for a user to be listed in the Institutional Directory server,
the institution must have verified the user with his/her physical
presence and an acceptable official photo-id document.
- The third method uses a Single Sign On (SSO) architecture based on the
SAML specification. The user enters the personal e-mail address at the
initial request form and is then redirected to the appropriate web page
of the Identity Provider. The Identity Provider verifies the user and
returns the real name and the email address of the user as attributes to
the Registration Authority. In order for a user to be verified by the
Identity Provider of an institution, the institution must have verified
the user with his/her physical presence and an acceptable official
photo-id document.
** CPS section 3.2.3.2: For each Fully-Qualified Domain Name listed in a
Certificate, the CA SHALL confirm that, as of the date the Certifiate
was issued, the Applicant either is the Domain Name Registrant or has
control over the FQDN by:
- Confirming the Applicant as the Domain Name Registrant directly with
the Domain Name Registrar,
- Communicating directly with the Domain Name Registrant using an
address, email, or telephone number provided by the Domain Name Registrar;
- Communicating directly with the Domain Name Registrant using the
contact information listed in the WHOIS record's "registrant",
"technical", or "administrative" field;
- Communicating with the Domain’s administrator using an email address
created by pre-pending ‘admin’, ‘administrator’, ‘webmaster’,
‘hostmaster’, or ‘postmaster’ in the local part, followed by the at-sign
(“@”), followed by the Domain Name, which may be formed by pruning zero
or more components from the requested FQDN;
- Relying upon a Domain Authorization Document;
- Having the Applicant demonstrate practical control over the FQDN by
making an agreed-upon change to information found on an online Web page
identified by a uniform resource identifier containing the FQDN; or
- Using any other method of confirmation, provided that the CA maintains
documented evidence that the method of confirmation establishes that the
Applicant is the Domain Name Registrant or has control over the FQDN to
at least the same level of assurance as those methods previously described.
*Root Certificate Download URLs:
http://www.harica.gr/certs/HaricaRootCA2015.der
http://www.harica.gr/certs/HaricaECCRootCA2015.der
* EV Policy OID: Not requesting EV treatment
* Test Websites:
https://www2.harica.gr/
https://www3.harica.gr/
*CRL URLs:
http://crlv1.harica.gr/HaricaRootCA2015/crlv1.der.crl
http://crlv1.harica.gr/HaricaAdministrationCAR5/crlv1.der.crl
CPS section 4.9.7: For end-user/device certificates ... the CRL will be
in effect for a maximum time of ten days.
* OCSP URL: http://ocsp.harica.gr
For Subscriber Certificates: OCSP responses have a maximum expiration
time of two days.
* Audit: Annual audits are performed by QMSCERT, according to the ETSI
TS 102 042 criteria.
http://www.qmscert.com/share/HARICA-ETSI_CERTIFICATE_AUTH_W_ANNEX.pdf
http://www.qmscert.com/share/HARICA-ETSI_CERTIFICATE_AUTH_W_ANNEX.pdf
This begins the discussion of the request from HARICA to include the
“Hellenic Academic and Research Institutions RootCA 2015” and “Hellenic
Academic and Research Institutions ECC RootCA 2015” root certificates,
and enable the Websites and Email trust bits for both roots.
At the conclusion of this discussion I will provide a summary of issues
noted and action items. If there are outstanding issues, then an
additional discussion may be needed as follow-up. If there are no
outstanding issues, then I will recommend approval of this request in
the bug.
Kathleen
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
