Public Discussion of HARICA's Root CA Inclusion Requests
Ben Wilson
Based on the request prioritization process outlined here - https://wiki.mozilla.org/CA/Prioritization, this is to announce the beginning of the public discussion
phase of the Mozilla root CA process (see https://wiki.mozilla.org/CA/Application_Process#Process_Overview
(Steps 4 through 9) to EV-enable two 2015 HARICA roots and to add four HARICA 2021
roots to the root store, as outlined below.
These inclusion applications have been tracked in the CCADB and in Bugzilla as follows:
EV-Enable two HARICA 2015 Root CAs - https://bugzilla.mozilla.org/show_bug.cgi?id=1690054
https://ccadb-public.secure.force.com/mozilla/PrintViewForCase?CaseNumber=00000713
Two 2021 TLS Roots – https://bugzilla.mozilla.org/show_bug.cgi?id=1695487
https://ccadb-public.secure.force.com/mozilla/PrintViewForCase?CaseNumber=00000730
Two 2021 SMIME Roots – https://bugzilla.mozilla.org/show_bug.cgi?id=1695486
https://ccadb-public.secure.force.com/mozilla/PrintViewForCase?CaseNumber=00000729
The roots involved are as follows:
Hellenic Academic and Research Institutions RootCA 2015 (EV enablement requested)
Hellenic Academic and Research Institutions ECC RootCA 2015 (EV enablement requested)
HARICA TLS RSA Root CA 2021 (websites bit and EV enablement)
HARICA TLS ECC Root CA 2021 (websites bit and EV enablement)
HARICA Client RSA Root CA 2021 (email bit)
HARICA Client ECC Root CA 2021 (email bit)
Mozilla is considering approving HARICA’s requests. This email begins a 3-week comment period, after which, if no concerns are raised, we will close the discussion and the request may proceed to the approval phase (Step 10).
Root Certificate Information:
Hellenic Academic and Research Institutions RootCA 2015 (EV enablement requested)
https://crt.sh/?q=A040929A02CE53B4ACF4F2FFC6981CE4496F755E6D45FE0B2A692BCD52523F36
Download – https://repo.harica.gr/certs/HaricaRootCA2015.der
Hellenic Academic and Research Institutions ECC RootCA 2015 (EV enablement requested)
https://crt.sh/?q=44B545AA8A25E65A73CA15DC27FC36D24C1CB9953A066539B11582DC487B4833
Download – https://repo.harica.gr/certs/HaricaECCRootCA2015.der
HARICA TLS RSA Root CA 2021 (websites bit and EV enablement)
https://crt.sh/?q=D95D0E8EDA79525BF9BEB11B14D2100D3294985F0C62D9FABD9CD999ECCB7B1D
Download – https://repo.harica.gr/certs/HARICA-TLS-Root-2021-RSA.der
HARICA TLS ECC Root CA 2021 (websites bit and EV enablement)
https://crt.sh/?q=3F99CC474ACFCE4DFED58794665E478D1547739F2E780F1BB4CA9B133097D401
Download – https://repo.harica.gr/certs/HARICA-TLS-Root-2021-ECC.der
HARICA Client RSA Root CA 2021 (email bit)
https://crt.sh/?q=1BE7ABE30686B16348AFD1C61B6866A0EA7F4821E67D5E8AF937CF8011BC750D
Download – https://repo.harica.gr/certs/HARICA-Client-Root-2021-RSA.der
HARICA Client ECC Root CA 2021 (email bit)
https://crt.sh/?q=8DD4B5373CB0DE36769C12339280D82746B3AA6CD426E797A31BABE4279CF00B
Download – https://repo.harica.gr/certs/HARICA-Client-Root-2021-ECC.der
CP/CPS:
Current CPS is Version 4.4 / May 5, 2021 - https://repo.harica.gr/documents/CPS-EN.pdf
Recent CPS review - https://bugzilla.mozilla.org/show_bug.cgi?id=1695487#c6
Repository location: https://repo.harica.gr/documents/CPS
Audits:
HARICA’s ETSI auditor is QMSCERT. HARICA’s last audit report was dated June 4, 2020, and we are expecting to receive a current audit report soon. The 2020 audit may be downloaded here: https://www.qmscert.com/share/HARICA_Audit_Attestation_E_V2.3_040620-01-AL_V1.0.pdf. (We expect to receive a new 2021 audit report during this discussion period.)
That audit noted Bug 1597135 for the issuance of three EV certificates without L or ST (closed).
Subsequent bugs (closed) are as follows:
1649945 - Incorrect OCSP Delegated Responder Certificate
1651465 - Delayed revocation for non-BR-compliant CA Certificates within 7 days
1699796 - Certificates with invalid policy tree
HARICA has no bugs currently open.
Thus, this email begins a three-week public discussion period, which I’m scheduling to close on or about 11-June-2021.
A representative of HARICA must promptly respond directly in the discussion thread to all questions that are posted.
Sincerely yours,
Ben Wilson
Mozilla Root Program
Andrew Ayer
Ben Wilson <bwi...@mozilla.com> wrote:
> *CP/CPS:*
I took a quick look at the CPS and noted the following:
GOOD: In Feb 2021, the CPS was updated to forbid agreed-upon change to
website from being used for wildcard validation.
GOOD: In May 2021, the CPS was updated to remove the DNS Operator CAA
exception.
GOOD: Effective 2021-06-01, certificate subjects will not contain the
OU field.
The above shows that HARICA is paying attention to the discussion of
problematic practices and is proactively discontinuing them even before
they are banned in the BRs.
Regards,
Andrew
Ben Wilson
--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/20210521092159.79d90b2432a98d5851e8e2b0%40andrewayer.name.
Ben Wilson
On May 19, 2021, we began the public discussion period [Step 4 of the Mozilla Root Store CA Application Process] for HARICA’s inclusion requests.
This is notice that I am closing the public discussion period [Step 9] and that it is Mozilla’s intent to approve HARICA’s requests for inclusion [Step 10].
This begins a 7-day “last call” period (through June 22, 2021) for any final objections.
Thanks,
Ben