HARICA has applied to add the “Hellenic Academic and Research
Institutions RootCA 2011” root certificate, and enable all three trust bits.
The main goal of HARICA (Hellenic Academic and Research Institutions
Certification Authority / Greek Universities Network) is the deployment
of an infrastructure for secure communication between the collaborating
members of the Greek Academic and Research Institutions. All HARICA
certificates have a clear mark indicating that the certificate is
subject to Greek laws and their CPS.
The request is documented in the following bug:
https://bugzilla.mozilla.org/show_bug.cgi?id=581901
And in the pending certificates list here:
http://www.mozilla.org/projects/security/certs/pending/#HARICA
Summary of Information Gathered and Verified:
https://bugzilla.mozilla.org/attachment.cgi?id=569483
Noteworthy points:
* The primary document is the CPS, which is provided in English.
Document Repository:
http://www.harica.gr/procedures.php
CPS:
http://www.harica.gr/documents/CPS-EN.pdf
* HARICA’s original request was to include the “Hellenic Academic and
Research Institutions RootCA 2006” root certificate, but its signature
algorithm is MD5. Then HARICA created a new root certificate, “Hellenic
Academic and Research Institutions RootCA 2010”, with the SHA-1
signature algorithm. While waiting in the queue for public discussion,
HARICA decided to replace the “Hellenic Academic and Research
Institutions RootCA 2010” root certificate with a new certificate in
order to fix an issue they noticed with the AuthorityKeyIdentifier
extension and the certificate policy OID.
* Root Cert URL:
http://www.harica.gr/certs/HaricaRootCA2011.der
* This new root will eventually have the same intermediate CAs as
HARICA’s MD5 root; the CA hierarchy diagram is here:
https://bugzilla.mozilla.org/attachment.cgi?id=460450
* The hierarchy that will be transitioned to this root consists of
several internally-operated subordinate CAs and one externally-operated
subordinate CA. Each subordinate CA is used for a different academic or
research institution.
** HARICA has implemented technical restrictions (at the RA and CA
level) allowing only specific domains affiliated with their constituency
to be included in certificates.
* HARICA has confirmed that they have in place multi-factor
authentication for server certificates, and multi-factor authentication
to access the RA and CA engines.
* The request is to enable all three trust bits.
* CPS section 1.3.2: Registration Authorities (RA) are entities
responsible for identity validation of all applicants before the
issuance of the certificate. They transfer the requests to the
particular Certification Authority in a secure manner. GUnet is the
central Registration Authority of HARICA and apply strict procedures for
users’ authentication.
* CPS section 3.2.2: The Registration Authority must confirm that the
subscriber belongs to the Institution, the name of which is included in
the certificate. The subscriber must:
a) be registered in the official directory service of her/his
Institution and her/his Institution must appear in this record, or
b) Possess an electronic mail address in the official mail service of
the Institution and the administration of her/his Institution confirms
its relationship with the subscriber.
* CPS section
3.2.3.1: The certificates of individuals that are issued
by the HARICA PKI must be checked for identification. There are two
classes of user certificates. Class A includes certificates whose
private key is generated and resides in a secure cryptographic device
(eToken or smartcard) and are issued under the presence of authorized
personnel of the RA. Class B includes certificates whose private key has
been generated using some software (software certificate store). Note
that there is a secure identification of the recipient with her/his
physical presence and an acceptable official document proving his
identity in both classes of certificates.
The Registration Authority relies on the control of identity performed
by the institutions the subscriber belongs to and uses authentication
ways of user identities that are available in the institutions in order
to check the identity. The collaborating institutions are compelled to
have certified the identity of a user by means of an official document
that bears the photograph of the beneficiary (eg police identity,
passport, driving license, student identity card) and which is
considered reliable by the familiar institution. Alternatively, the RA
of HARICA can execute the above process of applicant identification.
In case the familiar institution of the user, according to its policy,
has already performed a procedure of physical identity verification in
the past (e.g. for the provision of a user account or e-mail address)
there is no need to repeat the procedure but a typical confirmation
through the officially certified e-mail address of the user is sufficient.
* CPS section
3.2.3.1: HARICA central RA uses two methods for e-mail
ownership and control verification:
** The first method uses simple e-mail verification. The user enters the
e-mail address at the initial certificate request form and a
verification e-mail is sent to the user with a link to a unique web
page. After following this link, an e-mail is sent to the institution's
network operation center mail administrator that requires an approval
based on the full name entered by the user and the user's email. This
approval requires the identification of the user with his/her physical
presence and an acceptable official document. If this procedure took
place before (e.g. for the creation of an e-mail account) then there is
no reason to be repeated.
** The second method uses an LDAP server. The user enters the personal
e-mail address at the initial certificate request form and the
corresponding password. This information is verified against the
institution's LDAP server. If the verification is successful, the RA
queries the real name of the user and creates the certificate request.
In order for a user to be listed in the Institutional Directory server,
the institution must have verified the user with his/her physical
presence and an acceptable official photo-id document.
Certificates of Class A are recommended to include an extra
organizational unit (OU) in the subject field with the value ‘Class A –
Private Key created and stored in hardware CSP’. Certificates of Class B
are recommended to include an extra organizational unit (OU) in the
subject field with the value ‘Class B – Private Key created and stored
in software CSP’.
CPS section
3.2.3.2: The individual who is in charge of the operation of
the device and its conformity to the Certification Policy should possess
a certificate which was issued by a CA that conforms to the “HARICA
Certification Practice Statement/ Certification Policy”.
The subscriber submits the application for a device certificate on a web
interface where she/he must be authenticated presenting her/his personal
certificate. The issuance of a certificate for a device owned by an
institution other than the institution of its administrator, is not allowed.
HARICA central RA uses the following methods for device ownership
verification. First of all, issuance of an SSL/TLS certificate is only
allowed for domains belonging to each institution. Secondly, in order
for a user to apply for an SSL/TLS device certificate he must own a user
certificate which proves his identity. Then a verification e-mail is
sent to an institution's network operations center designated
administrator who verifies the validity of the FQDN of the certificate
request. He also checks that the person who applied for the certificate
is the rightful owner of the FQDN according to the institution's
database of users / servers.
CPS section 3.2.4: The certificates that are issued do not include
non-verified subscriber information.
* CPS section 9.16.2: Each subordinate Certification Authority approved
by HARICA PKI is committed to:
** Grant certificates with validity period within the limits of the
active employment (or other) relationship between the applicant and the
institution, according to the applicant’s affiliation (i.e student,
employee, faculty).
** Inform the parent Certification Authority immediately in case of
private key exposure.
** Protect the private keys, used for certificate signing, at least in
the security level that is described in the present document.
** Develop (optionally) its own policies and procedures of certification
which must be at least as strict and binding as the ones described in
the present document.
** In case an institution -within the HARICA constituency- wants to run
its own CA, it must provide an official audit certificate according to
the ETSI TS 101 456 (or equivalent) requirements
* There is currently one externally-operated subordinate CA:
** Company Name: Aristotle University of Thessaloniki Network Operations
Center
** Corporate URL:
http://noc.auth.gr
** Certificate download URL:
http://www.pki.auth.gr/certs/AuthCentralCAR2.pem
** General CA hierarchy: AuthCentralCAR2 only issues sub-CAs, and had
the following three subordinate CAs: AuthNocCAR3 (issues user and server
certificates for the Network Operations Center of the University),
AuthUsersCAR3 (issues user certificates for the rest of the University),
AuthServersCAR3 (issues server certificates for the rest of the University).
** CP/CPS Link:
http://www.pki.auth.gr/documents/CPS-EN.pdf
*** Section 3.2.2: The Registration Authority must confirm that the
subscriber belongs to the Aristotle University of Thessaloniki. The name
of AUTH is included in the certificate. The subscriber must: a) be
registered in the official directory service of the University, or b)
Possess an e-mail address in the official mail service of AUTH and the
administration services of AUTH must confirm the relationship with the
subscriber.
*** Ownership of domain name: sections 3.2.3.2 and 3.2.5
*** Ownership of e-mail: sections 3.2.3.1 and 3.2.5
*** Section 4.9.7: The CRL will be issued at least every five (5) days.
The CRL will be in effect for five (5) days. In case of subscribers
private key exposure or any other important security compromise an
updated CRL will be issued immediately.
**
https://ocsp.pki.auth.gr.
** Audit:
http://www.trust-it.gr/userfiles/AUTH.2011.03.18.Rev1.7.English.pdf
* EV Policy OID: Not requesting EV treatment.
* Root Cert:
http://www.harica.gr/certs/HaricaRootCA2011.der
** This new root cert was recently created to correct an issue with the
AuthorityKeyIdentifier extension; for more info see
https://bugzilla.mozilla.org/show_bug.cgi?id=581901#c20
* Test Website:
https://www2.harica.gr
* CRL:
**
http://crlv1.harica.gr/HaricaRootCA2011/crlv1.der.crl
**
http://crlv1.harica.gr/HaricaAdministrationCAR1/crlv1.der.crl
** CPS 4.9.7: The CRL must be updated and published at least every five
(5) days.
* OCSP:
http://ocsp.harica.gr
** CPS section 7.3: The use of OCSP is mandatory for all subordinate
Certification Authorities. The OCSP responders must conform to RFC2560.
* Audit: Annual audits are performed according to the ETSI TS 101 456
criteria. The most recent audit was performed by Deventum
(
http://deventum.com), and posted on the Trust-IT website:
http://www.trust-it.gr/userfiles/Harica.2011.03.18.Rev1.2.ENG.pdf
** Note that this new root was created after the last audit, and will
need to be included in the next audit.
** A network security audit was performed at the same time as the ETSI
audit.
Potentially Problematic Practices
(
http://wiki.mozilla.org/CA:Problematic_Practices):
* External RAs are allowed. CPS section 9.16.3: Each Registration
Authority manages the applications for subscriber registration.
** Each Registration Authority is responsible to receive certificate
applications from subscribers. It validates the identity of the
subscriber, confirms that the public key that is submitted belongs to
the subscriber and securely transmits the application to the CA.
** According to the certificate type, applications can be submitted via
face-to-face meeting with the interested party, via e-mail, via a secure
web form, or via any mechanism that securely identifies the user. The
application includes all information identifying the subscriber, and the
corresponding public key.
** Mass applications submission from a specific administrative
department is possible on behalf of the persons that belong to that
department or organization
** Each Registration Authority must verify if each person requesting a
personal certificate is the rightful owner of the certified e-mail address.
** Each Registration Authority must verify that the person requesting a
device certificate is the rightful owner and administrator of the
device’s FQDN.
** In case an institution -within the HARICA constituency- wants to run
its own RA, it must provide an official audit certificate according to
the ETSI TS 101 456 (or equivalent) requirements
This begins the discussion of the request from HARICA to add the
“Hellenic Academic and Research Institutions RootCA 2011” root
certificate, and enable all three trust bits. At the conclusion of this
discussion, I will provide a summary of issues noted and action items.
If there are no outstanding issues, then this request can be approved.
If there are outstanding issues or action items, then an additional
discussion may be needed as follow-up.
Kathleen