Closed Bug 1690054 Opened 3 years ago Closed 3 years ago

EV-Enable HARICA 2015 Root CAs

Categories

(CA Program :: CA Certificate Root Program, task, P1)

Product:
CA Program
Component:
CA Certificate Root Program
Type:
task

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: bwilson, Assigned: bwilson)

References

Details

(Whiteboard: [ca-approved] - EV enabled in FF 95)

Attachments

(3 files)

HARICA's BR Self Assessment@Feb-2021.xlsx
35.65 KB, application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
Details
ev-checker-HARICARootCA2015.png
75.34 KB, image/png
Details
ev-checker-HaricaECCRootCA2015.png
73.47 KB, image/png
Details

EV treatment for HARICA "2015" Root CA Certificates in the Mozilla Root Program:

  • Hellenic Academic and Research Institutions ECC RootCA 2015
  • Hellenic Academic and Research Institutions RootCA 2015

Mozilla Root Inclusion Case Information:
https://ccadb-public.secure.force.com/mozilla/PrintViewForCase?CaseNumber=00000713

(CA may access Case No. 713 here - https://ccadb.force.com/5004o00000JZbCcAAL)

HARICA's latest CP/CPS is available at https://repo.harica.gr/documents/CPS-EN.pdf

EV readiness successful test for HARICA Root CA 2015 following instructions from
https://wiki.mozilla.org/PSM:EV_Testing_Easy_Version

EV readiness successful test for HARICA ECC Root CA 2015 following instructions from
https://wiki.mozilla.org/PSM:EV_Testing_Easy_Version

The "Mozilla Additional Requirements" section was updated in the CCADB case.

Please let us know if you need any further information added to this bug or the CCADB case.

Flags: needinfo?(bwilson)

We just need you to complete the section titled "PKI Hierarchy" and then I can move this enablement request into the queue for CP/CPS Review.

Our PKI Hierarchy is already included in Annex C of our CP/CPS. Please let us know if you need it on a separate document.

Flags: needinfo?(bwilson)
Whiteboard: [ca-initial] → [ca-verifying]
Whiteboard: [ca-verifying] → [ca-cps-review] BW 2021-02-24

Review of the HARICA CP/CPS Version 4.3 (February 18th 2021)

https://repo.harica.gr/documents/CPS-EN.pdf

Based on version 1.7.4 of the CABF EV Guidelines

EVG Section 8.1 – the CA shall notify the CAB Forum if a provision of the EV Guidelines is illegal under local government laws.

Meh – Section 9.16.3 states, “HARICA MUST also (prior to issuing an SSL/TLS certificate under the modified requirement) notify the CA/Browser Forum of the relevant information newly added to this CP/CPS, so that the CA/Browser Forum may consider possible revisions to their requirements/guidelines accordingly.” This is not the same as what is considered by section 8.1 of the EV Guidelines.

EVG Sections 8.2.1, 8.2.2, and Mozilla Root Store Policy – the CA must publicly disclose its business practices and update its CP/CPS on at least an annual basis (and re-versions the CP/CPS, even if there are no other changes). The CP/CPS must be formatted according to RFC 3647.

Good

EVG Section 8.3 – the CA shall have a statement that it conforms to the current version of the EV guidelines and that in the event of any inconsistency, the EV guidelines take precedence.

OK – HARICA CP/CPS section 1.5.4 – “Even if there are is no compulsory reason for a change in this CP/CPS, the PMC performs a review process at least annually in an effort to improve policies and practices (opportunity for improvement).”

EVG Section 8.4 – the CA shall maintain liability insurance of US$2 million and professional liability insurance of US$5 million.

Good – CP/CPS Section 9.8 - “HARICA’s liability under this CP/CPS sustained by Subscribers or Relying Parties is limited to a maximum of 2.000€ per Certificate for Qualified Signatures/Seals, Qualified Certificates for website authentication, Extended Validation Certificates for SSL. This is covered via a Professional Liability/Errors and Omissions insurance, with policy limits of five million Euros (5.000.000€) in coverage, including coverage for (i) claims for damages arising out of an act, error, or omission, unintentional breach of contract, or neglect in issuing or maintaining Certificates for Qualified Signatures/Seals, Qualified Certificates for web site authentication, Extended Validation Certificates for SSL.”

EVG Section 9.2.1 - the organization name must include the full legal name for the subscribing organization as listed in official records.

Good

CPS section 9.6.1 states, “HARICA has confirmed that, as of the date the EV Certificate was issued, the legal name of the Subject named in the EV Certificate matches the name on the official government records of the Incorporating or Registration Agency in the Subject’s Jurisdiction of Incorporation or Registration, and if an assumed name is also included, that the assumed name is properly registered by the Subject in the jurisdiction of its Place of Business”

EVG Sections 9.2.3, 11.2.1 and 11.2.2 – The CA must verify the Applicant’s legal existence and identity directly with the incorporating agency or registration agency and the business category field must contain one of the following: "Private Organization", "Government Entity", "Business Entity", or "Non-Commercial Entity"

OK - HARICA CP/CPS Section 9.6.1 states, “Legal Existence: HARICA has confirmed with the Incorporating or Registration Agency in the Subject’s Jurisdiction of Incorporation or Registration that, as of the date the EV Certificate was issued, the Subject named in the EV Certificate legally exists as a valid organization or entity in the Jurisdiction of Incorporation or Registration.” The CP/CPS does not get into the details of verifying these 4 types of entities.

Section 9.2.4 - jurisdiction of incorporation/registration fields must not contain information that is not relevant to the level of the incorporating agency or registration agency.

Good – HARICA CP/CPS Section 3.1.4 states “These fields MUST NOT contain information that is not relevant to the level of the Incorporating Agency or Registration Agency. The interpretation of this attribute is explained in section 9.2.5 of the EV Guidelines.”

EVG Sections 9.2.4, 9.2.5, and 11.1.3 – the CA shall maintain a publicly available list of its verification sources, incorporating agencies, and registration agencies (e.g. QIISes, QGISes, QGTISes). Information about where this information can be located must appear in section 3.2 of the CPS.

Good - Section 3.2.2.7 of the CP/CPS states, “Effective as of 1 October 2020, HARICA shall ensure that, prior to the use of an Incorporating Agency or Registration Agency to fulfill these verification requirements, the Incorporating Agency or Registration Agency data sources used for EV Certificates will be publicly disclosed in the repository described in section 2.1.”

EVG Sections 9.2.5 and 11.2.1 - subject registration number: if the jurisdiction of incorporation or registration does not provide a registration number, then the date of incorporation or registration is entered in this field.

Good. CPS Section 7.1.4.7 states, “If the Jurisdiction of Incorporation or Registration does not provide a Registration Number, then the date of Incorporation or Registration SHALL be entered into this field in any one of the common date formats.”

EVG Section 9.2.6 - subject physical address of place of business must contain the address of the physical location of the business.

OK (but could be improved with more content) – Section 7.1.4.7 states that the street address and postal code are for the “physical address of the Subject as verified under section 3.2.2.1.”

EVG Section 9.2.7 - the CA shall implement a process that prevents an organizational unit from including a trade name unless the CA has verified that information.

Good - Section 3.2.2.2 of the CP/CPS contains the procedure by which HARICA verifies trade names. “If the Subject Identity Information is to include a DBA or tradename, HARICA SHALL verify the Applicant’s right to use the DBA/tradename using at least one of the following: ….”

EVG Sections 9.2.8, 9.8.2, and Appendix H – if included in the certificate, the CA shall confirm registration references for legal entities.

OK – could be improved with explanation of how verification is performed. Registration references for legal entities is briefly addressed in CPS section 7.1.4.7 – “OrganizationIdentifier (OID: 2.5.4.97): Per QCP-l and QCP-l-qscd, contains a unique identifier for the Organization per ETSI EN 319 412-3. Depending on the Legal Entity’s decision, one of the following identifiers must be used: * Legal Entity’s Identification Number from a national trade register with the following semantics: “NTRGR-123456789”. In this example, GR is the Subject’s Country. * Legal Entity’s Tax Identification Number with the following semantics: “VATGR-123456789”.”

EVG Section 9.2.9 - the CA shall not include any subject attributes except as specified in section 9.2 of the EV Guidelines.

Good – CP/CPS Section 7.1.4.7 states, “With the exception of EV Certificates, other subjectDN attributes MAY be present within the subject field.”

EVG Sections 9.3.2 and 9.3.5 - subscriber certificates shall contain the appropriate EV policy OIDs.

Good – section 7.1.6 states, “EVCP (Extended Validation Certificate Policy)

  • 0.4.0.2042.1.4 as described in ETSI EN 319 411-1

  • 2.23.140.1.1 as described in CA/B Forum EV Guidelines

  • 1.3.6.1.4.1.26513.1.1.1.4” It also states, “Subscriber SSL/TLS Certificates SHALL contain one of the CA/Browser Forum reserved policy OIDs in the certificatePolicies extension.”

EVG Section 9.4 - the validity period for an EV certificate shall not exceed 398 days.

Good - Section 6.3.2 states, “The maximum validity period of Certificates is defined as: … three hundred ninety seven (397) days for SSL/TLS Certificates”.

EVG Section 9.8.1 - wildcard certificates are not allowed.

Good. Section 7.1.4.8 states, “Wildcard Certificates are not allowed for EV SSL/TLS Certificates except as permitted under Appendix F of the EV Guidelines.”

EVG Section 10.1.2 - the roles of certificate requestor, certificate approver, and contract signer are required for the issuance of EV certificates.

Good – These are found in Section 4.1.2.1 of the CPS.

EVG Section 11.2.2(4) - principal individuals must be validated in a face-to-face setting.

Needs to be fixed - It is unclear from the CP/CPS how HARICA verifies “Business Entities”, as that term is used in the EV Guidelines.

EVG Section 11.3.1 - assumed names must be verified with an appropriate government agency or a QIIS that has verified the assumed name with the appropriate government agency.

Good – Section 9.6.1 warrants that “if an assumed name is also included, that the assumed name is properly registered by the Subject in the jurisdiction of its Place of Business”.

EVG Section 11.5.1 - the CA must establish of verified method of communication with the applicant.

Meh – The CP/CPS uses the phrase “Reliable Method of Communication” from the Baseline Requirements but not “verified method of communication” as defined in the EV Guidelines. In section 3.2.5, it says, “HARICA uses information from data sources per section 3.2.2.7 to establish a reliable method of communication.”

These two phrases in the Baseline Requirements and the EV Guidelines are not the same and both should be mentioned.

EVG Section 11.6.1 - the CA must verify that the applicant has the ability to engage in business. The EV issuance process requires that the operational existence be established in one of 4 ways: “(1) Verifying that the Applicant, Affiliate, Parent Company, or Subsidiary Company has been in existence for at least three years, as indicated by the records of an Incorporating Agency or Registration Agency; (2) Verifying that the Applicant, Affiliate, Parent Company, or Subsidiary Company is listed in either a current QIIS or QTIS; (3) Verifying that the Applicant, Affiliate, Parent Company, or Subsidiary Company has an active current Demand Deposit Account with a Regulated Financial Institution by receiving authenticated documentation of the Applicant's, Affiliate's, Parent Company's, or Subsidiary Company's Demand Deposit Account directly from a Regulated Financial Institution; or (4) Relying on a Verified Professional Letter to the effect that the Applicant has an active current Demand Deposit Account with a Regulated Financial Institution.”

Needs to be fixed – I could not find in the CP/CPS where HARICA describes how it establishes “operational existence” or the ability of an entity to engage in business.

EVG Section 11.7.1 - domain name verification must use a procedure from section 3.2.2.4 of the Baseline Requirements (BR)

Good – Validation procedures based on the provisions of BR section 3.2.2.4 are included in section 3.2.2.4 of the CP/CPS.

EVG Section 11.8.1 - the CA must verify the name and title of the contract signer and certificate approver

Needs to be fixed – The CP/CPS does not say that HARICA verifies the name and title of the contract signer and certificate approver.

EVG Section 11.9 - the CA must verify the signature on the subscriber agreement and certificate request

Needs to be fixed – The CP/CPS does not say that HARICA verifies the signature on the subscriber agreement and certificate request.

EVG Section 11.11.5 - the CA shall use documented processes to check the accuracy of a QIIS.

Good – Section 3.2.2.7 states the criteria that HARICA uses to verify the accuracy of the data sources it relies upon.

EVG Section 11.12.2 - the CA must check whether the applicant, contract signer, or certificate approver is on denied persons lists, etc.

Needs to be fixed – I could not find where this is stated in the CP/CPS.

EVG Sections 11.13, 14.1.3 and 16 - the CA must perform final cross-correlation and other due diligence based on the entire corpus of information and have multi-person, auditable controls to ensure separation of duties with respect to EV certificate issuance

Good - Section 4.2.2 of the CP/CPS states that for EV certificate issuance there is a “second Validation Specialist [who] requires additional documentation and/or verification before approving the issuance an EV certificate.” This is also fully addressed in CP/CPS Section 5.2.4.

EVG Section 11.14.3 - validation data cannot be reused after 13 months

Good - Section 4.2.1 of the CP/CPS has this information.

EVG Section 12 - root CA private keys must not be used to sign EV certificates.

Good – Section 6.1.7 says, “Private Keys corresponding to Root Certificates MUST NOT be used to sign Certificates .…”

EVG Section 14.1.1 - a CA must verify the identity and trustworthiness of anyone involved in EV processes.

Good. Section 5.3.1 of the CP/CPS states, “Prior to the engagement of any person in the Certificate Management Process, whether as an employee, agent, or an independent contractor, HARICA verifies the identity and trustworthiness of such person.”

EVG Section 14.1.2 – the internal examination of specialists must include the EV certificate validation criteria of the EV guidelines.

Good. Section 5.3.3 of the CP/CPS states, “Validation Specialists are trained and tested to the EV Certificate validation criteria.”

EVG Section 14.2.1 - the CA shall ensure that third-party personnel satisfy the training and skills requirements of section 14 of the EV guidelines.

Good. CP/CPS Section 5.3.7 states, “Delegated Third Party's personnel involved in the issuance of a Certificate meet the training and skills requirements of Section 5.3.3.”

Whiteboard: [ca-cps-review] BW 2021-02-24 → [ca-cps-review] BW 2021-03-29 Comment #8
Priority: -- → P1

(In reply to Ben Wilson from comment #8)

Review of the HARICA CP/CPS Version 4.3 (February 18th 2021)

https://repo.harica.gr/documents/CPS-EN.pdf

Based on version 1.7.4 of the CABF EV Guidelines

Thank you very much for the thorough review which will also help us improve and strengthen our CP/CPS.

Please see some responses below for the "Meh" and "Needs to be fixed" and please let us know if they seem to be acceptable by Mozilla.

[...]

EVG Section 8.1 – the CA shall notify the CAB Forum if a provision of the EV Guidelines is illegal under local government laws.

Meh – Section 9.16.3 states, “HARICA MUST also (prior to issuing an SSL/TLS certificate under the modified requirement) notify the CA/Browser Forum of the relevant information newly added to this CP/CPS, so that the CA/Browser Forum may consider possible revisions to their requirements/guidelines accordingly.” This is not the same as what is considered by section 8.1 of the EV Guidelines.

This language is taken from the Baseline Requirements which should achieve the same policy and has been revised more recently. We are using a common CP/CPS for EV and non-EV TLS Certificates so this should cover both cases. To explicitly incorporate the language from the EV Guidelines, we will modify this sentence in section 9.16.3 as:

"HARICA MUST also (prior to issuing an SSL/TLS certificate under the modified requirement or, if a provision of the EV Guidelines is illegal under local government laws) notify the CA/Browser Forum of the relevant information newly added to this CP/CPS, so that the CA/Browser Forum may consider possible revisions to their requirements/guidelines accordingly"

[...]

EVG Section 11.2.2(4) - principal individuals must be validated in a face-to-face setting.

Needs to be fixed - It is unclear from the CP/CPS how HARICA verifies “Business Entities”, as that term is used in the EV Guidelines.

In section 3.1.4, we have a table of names, and in that table we define businessCategory (OID: 2.5.4.15) as

"For QCP-w, QCP-w-psd2 and EV Certificates only. This field MUST contain one of the following strings: "Private Organization", "Government Entity", "Business Entity", or "Non-Commercial Entity" depending upon whether the Subject qualifies under the terms of Section 8.5.2, 8.5.3, 8.5.4 or 8.5.5 of the EV Guidelines, respectively."

EVG Section 11.5.1 - the CA must establish of verified method of communication with the applicant.

Meh – The CP/CPS uses the phrase “Reliable Method of Communication” from the Baseline Requirements but not “verified method of communication” as defined in the EV Guidelines. In section 3.2.5, it says, “HARICA uses information from data sources per section 3.2.2.7 to establish a reliable method of communication.”

These two phrases in the Baseline Requirements and the EV Guidelines are not the same and both should be mentioned.

We include the descriptions of QIIS, QGIS, QTIS in sections 3.2.2.7.1, 3.2.2.7.2 and 3.2.2.7.3 respectively.

We will update our CPS to make "Verified method of communication" more explicit. The proposed text which would be added at the end of section 3.2.2.7 is:

"For the issuance of EV Certificates, HARICA shall establish a verified method of communication with the Applicant as described in section 11.5.2 of the EV Guidelines."

EVG Section 11.6.1 - the CA must verify that the applicant has the ability to engage in business. The EV issuance process requires that the operational existence be established in one of 4 ways: “(1) Verifying that the Applicant, Affiliate, Parent Company, or Subsidiary Company has been in existence for at least three years, as indicated by the records of an Incorporating Agency or Registration Agency; (2) Verifying that the Applicant, Affiliate, Parent Company, or Subsidiary Company is listed in either a current QIIS or QTIS; (3) Verifying that the Applicant, Affiliate, Parent Company, or Subsidiary Company has an active current Demand Deposit Account with a Regulated Financial Institution by receiving authenticated documentation of the Applicant's, Affiliate's, Parent Company's, or Subsidiary Company's Demand Deposit Account directly from a Regulated Financial Institution; or (4) Relying on a Verified Professional Letter to the effect that the Applicant has an active current Demand Deposit Account with a Regulated Financial Institution.”

Needs to be fixed – I could not find in the CP/CPS where HARICA describes how it establishes “operational existence” or the ability of an entity to engage in business.

We plan to add explicit language in section 3.2.2 about the verification of "operational existence". Here is the proposed language:

"For the issuance of EV Certificates, HARICA shall verify that the applicant has the ability to engage in business by following the requirements of section 11.6.1 of the EV Guidelines"

[...]

EVG Section 11.8.1 - the CA must verify the name and title of the contract signer and certificate approver

Needs to be fixed – The CP/CPS does not say that HARICA verifies the name and title of the contract signer and certificate approver.

Section 3.2.5 refers to the EV Guidelines for this particular task:

"For Extended Validation Certificate requests (either EV SSL/TLS or EV Code Signing), HARICA shall follow procedures described in section 11.8 of the EV Guidelines to verify the authority of the request."

EVG Section 11.9 - the CA must verify the signature on the subscriber agreement and certificate request

Needs to be fixed – The CP/CPS does not say that HARICA verifies the signature on the subscriber agreement and certificate request.

We plan to add explicit language at the end of section 4.1.2.1 about the verification of the signature on the subscriber agreement. Here is the proposed language:

"HARICA shall verify the signature on Subscriber Agreement and EV Certificate requests following the requirements of section 11.9 of the EV Guidelines."

[...]

EVG Section 11.12.2 - the CA must check whether the applicant, contract signer, or certificate approver is on denied persons lists, etc.

Needs to be fixed – I could not find where this is stated in the CP/CPS.

We plan to add explicit language at the end of section 3.2.2. Here is the proposed text:

"For the issuance of EV Certificates, HARICA checks whether the applicant, contract signer, or certificate approver is on a denied persons list published by the Greek government, if any."

Once again, thank you for the review. We're looking forward to the additional feedback to proceed with the updates.

Flags: needinfo?(bwilson)

We updated our CP/CPS (now version 4.4 published May 5th 2021) which is available at https://repo.harica.gr/documents/CPS-EN.pdf. All versions available at https://repo.harica.gr/documents/CPS. We have incorporated the suggested changes from Comment #9.

Please let us know if you need any additional information for this request.

Public discussion on this request was announced here - https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/UAmBtcVvBKw/m/o5cYt-dFAAAJ. The public discussion period is scheduled to close on 11-June-2021.

Flags: needinfo?(bwilson)
Whiteboard: [ca-cps-review] BW 2021-03-29 Comment #8 → [ca-in-discussion] 2021-05-19

The 3-week public discussion period has now passed and there were no objections to this inclusion request. See https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/UAmBtcVvBKw/m/5nZlAMk7BAAJ in which I indicated that it is Mozilla’s intent to approve HARICA’s requests for EV enablement/inclusion and started the 7-day “last call” period (through June 22, 2021) for any final objections.

Whiteboard: [ca-in-discussion] 2021-05-19 → [ca-pending-approval] 2021-06-15

As per Comment #12, and on behalf of Mozilla I approve this request from HARICA to enable EV treatment for the following root certificates:

** Hellenic Academic and Research Institutions RootCA 2015 (Email, Websites); EV
** Hellenic Academic and Research Institutions ECC RootCA 2015 (Email, Websites); EV

I will file the PSM bug for the approved changes.

Whiteboard: [ca-pending-approval] 2021-06-15 → [ca-approved] - pending PSM code changes
Depends on: 1717711

I have filed bug #1717711 against PSM for the actual changes.

Status: ASSIGNED → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Whiteboard: [ca-approved] - pending PSM code changes → [ca-approved] - EV enabled in FF 95
Product: NSS → CA Program
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: