This request is to include the “Hellenic Academic and Research
Institutions RootCA 2015” and “Hellenic Academic and Research
Institutions ECC RootCA 2015” root certificates, and enable the
Websites and Email trust bits for both roots.
Hellenic Academic and Research Institutions Certification Authority
(HARICA) is a non-profit organization serving the Greek Academic and
Research Community; operated by the Greek Universities Network
(www.gunet.gr).
The request is documented in the following bug:
https://bugzilla.mozilla.org/show_bug.cgi?id=1201423
And in the pending certificates list:
https://wiki.mozilla.org/CA:PendingCAs
Summary of Information Gathered and Verified:
https://bugzilla.mozilla.org/attachment.cgi?id=8697399
Noteworthy points:
* The primary documents are the CPS; provided in Greek and English
Document Repository: http://www.harica.gr/procedures
CPS: http://www.harica.gr/documents/CPS-EN.pdf
* CA Hierarchy:
** The new roots will be cross-signed by “Hellenic Academic and
Research Institutions RootCA 2011” to assist the rollover.
** “Hellenic Academic and Research Institutions RootCA 2011”
currently has 20 internally operated and technically-constrained subCAs.
There is currently one externally-operated subordinate CA:
- Aristotle University of Thessaloniki
- http://www.auth.gr, http://it.auth.gr
- http://www.pki.auth.gr/certs/AuthCentralCAR3.pem, (to be
decommissioned by Sep 2015)
- http://www.pki.auth.gr/certs/AuthCentralCAR4.pem
- http://www.pki.auth.gr/certs/AuthCentralCAR5.pem
- AuthCentralCAR4 and AuthCentralCAR5 issue sub-CAs and end
user/server certificates
- http://www.pki.auth.gr/documents/CPS-EN.pdf
- Sections in CP/CPS demonstrating the measures to verify:
-- Ownership of domain name: 3.2.2, 3.2.3.2 and 3.2.5
-- Ownership of e-mail: 3.2.2, 3.2.3.1 and 3.2.5
- For all certificates chaining up to these Sub-CA, both the
organization and the ownership/control of the domain are verified.
- This CA is currently operated by the same administration team as
the HARICA Root CA.
- OCSP: http://ocsp.pki.auth.gr
- Audit: http://pki.auth.gr/documents/AUTH-ETSI_CERTIFICATE_AUTH_W_ANNEX
** “Hellenic Academic and Research Institutions ECC RootCA 2015”
currently has the following internally-operated subCAs:
- Hellenic Academic and Research Institutions ECC AdminCA R1
We plan to issue the following internally operated subCAs for
specific usages:
- ECC Client Authentication and SecureEmail
- ECC Code Signing
- ECC SSL (DV/OV) Server Certificates
There are currently no externally operated subCAs issued from this
root. According to our CP/CPS, in case of externally operated CAs,
they will either be technically constrained or publicly disclosed and
audited.
* This request is to enable the Websites and Email trust bits for
both root certs. HARICA is not requesting EV treatment.
** CPS section 3.2.3.1: HARICA central RA uses three methods for
e-mail ownership and control verification:
- The first method uses simple e-mail verification. The user enters
the e-mail address at the initial certificate request form and a
verification e-mail is sent to the user with a link to a unique web
page. After following this link, an e-mail is sent to the
institution's network operation center mail administrator that
requires an approval based on the full name entered by the user and
the user's email. This approval requires the identification of the
user with his/her physical presence and an acceptable official document.
- The second method uses an LDAP server. The user enters the personal
e-mail address at the initial certificate request form and the
corresponding password. This information is verified against the
institution's LDAP server. If the verification is successful, the RA
queries the real name of the user and creates the certificate
request. In order for a user to be listed in the Institutional
Directory server, the institution must have verified the user with
his/her physical presence and an acceptable official photo-id document.
- The third method uses a Single Sign On (SSO) architecture based on
the SAML specification. The user enters the personal e-mail address
at the initial request form and is then redirected to the appropriate
web page of the Identity Provider. The Identity Provider verifies the
user and returns the real name and the email address of the user as
attributes to the Registration Authority. In order for a user to be
verified by the Identity Provider of an institution, the institution
must have verified the user with his/her physical presence and an
acceptable official photo-id document.
** CPS section 3.2.3.2: For each Fully-Qualified Domain Name listed
in a Certificate, the CA SHALL confirm that, as of the date the
Certifiate was issued, the Applicant either is the Domain Name
Registrant or has control over the FQDN by:
- Confirming the Applicant as the Domain Name Registrant directly
with the Domain Name Registrar,
- Communicating directly with the Domain Name Registrant using an
address, email, or telephone number provided by the Domain Name
Registrar;
- Communicating directly with the Domain Name Registrant using the
contact information listed in the WHOIS record's "registrant",
"technical", or "administrative" field;
- Communicating with the Domain’s administrator using an email
address created by pre-pending ‘admin’, ‘administrator’, ‘webmaster’,
‘hostmaster’, or ‘postmaster’ in the local part, followed by the
at-sign (“@”), followed by the Domain Name, which may be formed by
pruning zero or more components from the requested FQDN;
- Relying upon a Domain Authorization Document;
- Having the Applicant demonstrate practical control over the FQDN by
making an agreed-upon change to information found on an online Web
page identified by a uniform resource identifier containing the FQDN; or
- Using any other method of confirmation, provided that the CA
maintains documented evidence that the method of confirmation
establishes that the Applicant is the Domain Name Registrant or has
control over the FQDN to at least the same level of assurance as
those methods previously described.
*Root Certificate Download URLs:
http://www.harica.gr/certs/HaricaRootCA2015.der
http://www.harica.gr/certs/HaricaECCRootCA2015.der
* EV Policy OID: Not requesting EV treatment
* Test Websites:
https://www2.harica.gr/
https://www3.harica.gr/
*CRL URLs:
http://crlv1.harica.gr/HaricaRootCA2015/crlv1.der.crl
http://crlv1.harica.gr/HaricaAdministrationCAR5/crlv1.der.crl
CPS section 4.9.7: For end-user/device certificates ... the CRL will
be in effect for a maximum time of ten days.
* OCSP URL: http://ocsp.harica.gr
For Subscriber Certificates: OCSP responses have a maximum expiration
time of two days.
* Audit: Annual audits are performed by QMSCERT, according to the
ETSI TS 102 042 criteria.
http://www.qmscert.com/share/HARICA-ETSI_CERTIFICATE_AUTH_W_ANNEX.pdf
http://www.qmscert.com/share/HARICA-ETSI_CERTIFICATE_AUTH_W_ANNEX.pdf
This begins the discussion of the request from HARICA to include the
“Hellenic Academic and Research Institutions RootCA 2015” and
“Hellenic Academic and Research Institutions ECC RootCA 2015” root
certificates, and enable the Websites and Email trust bits for both
roots.
At the conclusion of this discussion I will provide a summary of
issues noted and action items. If there are outstanding issues, then
an additional discussion may be needed as follow-up. If there are no
outstanding issues, then I will recommend approval of this request in
the bug.
Kathleen
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
