Implementation of Multi-Perspective Issuance Corroboration (MPIC) and Mandatory CAA Checks for Mailbox Addresses

Multi-Perspective Issuance Corroboration (MPIC)

Starting on March 15, 2025, HARICA will implement Multi-Perspective Issuance Corroboration (MPIC) for Domain Authorization, Control, and Certification Authority Authorization (CAA) Record checks before issuing any TLS Server Authentication Certificates, in accordance with CA/B Forum Baseline Requirements for TLS Server Certificates.

With MPIC, DNS queries for Domain Validation and CAA checks must be verified from multiple, randomly distributed and distant locations across the Internet. If the information corroboration fails (up to a certain level), the certificate issuance will be blocked. Domain Owners must ensure that their Authoritative DNS servers are accessible from the global Internet, allowing the corroboration to be completed without failures that would prevent certificate issuance.

We remind our Subscribers that Publicly-Trusted TLS Server Authentication Certificates are “intended to be used for authenticating servers accessible through the Internet”, as described in the CA/Browser Forum TLS Baseline Requirements.

Mandatory CAA Checks for Mailbox Addresses

Effective March 15, 2025, HARICA will also be required to perform CAA checks for Mailbox Addresses, as mandated by the CA/Browser Forum S/MIME Baseline Requirements.

What You Need to Know:

• Before issuing an S/MIME certificate that includes a Mailbox Address, HARICA will retrieve and process CAA records, similar to the process used for TLS Certificates.
• If your DNS CAA record contains the issuemail tag, it must explicitly include the value “harica.gr”, authorizing HARICA for S/MIME certificate issuance.
• If no issuemail tag is present, no action is required.

Implementation of a new policy in the protection of the private key in Code Signing certificates

According to CA/B Forum Baseline Requirements for the Issuance and Management of Publicly‐Trusted Code Signing Certificates and HARICA’s Certificate Policy and Certification Practices Statement for the Hellenic Academic and Research Institutions Public Key Infrastructure (CP/CPS), starting June 1, 2023, it will be mandatory for Code Signing Certificates to have their private keys stored in hardware devices such as tokens or Hardware Security Modules (HSMs) with at least security standard of FIPS 140-2 level 2 or Common Criteria EAL 4, following the existing requirements for Extended Validation Code Signing Certificates.

This new policy optimizes the protection of private keys and upgrades the security of Code Signing Certificates.

What are the policy changes for Code Signing certificates?

Starting June 1, 2023, HARICA will exclusively issue Code Signing Certificates to hardware devices (tokens).

If subscribers prefer to use their own device, this must meet the minimum security standards of FIPS 140-2 level or Common Criteria EAL 4+.

To request for a new Code Signing Certificate, subscribers can submit their requests through our portal cm.harica.gr. Once the certificate is issued, if needed, we will send a token to the subscriber’s preferred address via courier.

We would like to emphasize that HARICA maintains consistent pricing for Code Signing Certificates. This means that the cost of acquiring a Code Signing Certificate and the hardware device remains unchanged.

What will happen to Code Signing Certificates issued prior to June 1, 2023?

Code Signing Certificates issued prior to June 1, 2023, will remain valid until their expiration date. Subscribers of these certificates do not need to take any action. The changes introduced only to Code Signing Certificates that will be issued on or after June 1, 2023.

How will HARICA’s Code Signing Certificates be renewed after June 1, 2023?

Code Signing Certificates that have been purchased in the years 2022 and 2023 for more than three (3) years and their renewal occurs after June 1, 2023, HARICA will provide the necessary token at no additional cost to the subscribers.

Do you have additional questions or concerns?

If you have questions or need more information, please contact the HARICA support at support@harica.gr.

HARICA announcement on Kiwifarms

HARICA supports the freedom of speech and expression, and the right for privacy which is why it invested time and effort to support and offer Onion certificates. This decision was welcomed by the Tor community.

• https://blog.torproject.org/tls-certificate-for-onion-site/
• https://twitter.com/torproject/status/1374814543252049920?lang=el
• https://newsletter.torproject.org/archive/2021-03-31-onion-tls-petition-ban-biometric-surveillance/
• https://community.torproject.org/onion-services/advanced/https/
• https://www.facebook.com/TorProject/photos/a.10151472966454951/10161197452869951/?type=3

HARICA does not check or censor website content protected by its certificates. However, every CA must follow a process to handle complaints from Third Parties and Law enforcement authorities associated with HARICA-issued certificates. If the complaint claims that a certificate is used in violation of the CP/CPS or the Greek/European Law, HARICA is obligated to investigate and check whether those claims are valid. HARICA takes complaints seriously and is especially sensitive to the “forbidden certificate use” clause in section 1.4.2 of its CP/CPS.

In the Kiwifarms case, we received such a complaint and proceeded with our investigation which led to reviewing existing online content. The following URLs were especially examined:

• https://en.wikipedia.org/wiki/Kiwi_Farms
• https://blog.cloudflare.com/kiwifarms-blocked/

Without dismissing the seriousness of other concerning activities reported, HARICA was especially concerned with activities that might have led to suicides. A decision was made to revoke the certificate and an email was sent to the subscriber notifying that the certificate would be revoked in 3 days (on 2023-05-18), and that a new certificate should be obtained by another CA, which should be a trivial task to be completed within 3 days.

Minutes after sending that email, HARICA’s support team started receiving threat messages from unknown individuals, witnessing the behaviour described in the “Escalating threats” of https://blog.cloudflare.com/kiwifarms-blocked/. Support team members participating in the communications with the subscriber were personally targeted.

HARICA considers this behaviour unacceptable. As a non-profit CA, we try to support the Internet community with the best of our abilities and in a very challenging and demanding industry. If HARICA personnel continues to receive harassment for what is a CA decision (not a personal decision), we will have to revisit the risks associated with providing Onion certificates and possibly discontinue this service. Our personnel’s good health and safety is of upmost importance.

Among the numerous threat messages HARICA received, there was one case that followed the reporting procedure, was kind and polite, and highlighted the fact that there are currently only two publicly-trusted CAs that issue certificates for Onion domain names, and HARICA is one of them. This significantly minimizes the options of Subscribers with Onion domain names.

After considering that factor, HARICA decided to postpone the revocation action and wait for further investigations, if any, by the Greek Law enforcement authorities. The community should not mistakenly think that HARICA’s decision to postpone the revocation was due to the threats we received. We continue to reserve the right to revoke or not issue a replacement certificate, but we respect the fact that this particular subscriber has only one other option to obtain a certificate to protect their website. We hope more CAs will be able to support Onion certificates to alleviate that problem.

Adobe Acrobat settings for signature validation

Decision 2015/1506/EU pursuant to Regulation (EU) 910/2014 (also known as eIDAS) has defined a number of baseline profiles (e.g. PAdES, XAdES, etc.) to ensure that electronic signatures can be created and validated anywhere in Europe.

When a user performs a signing operation with Acrobat and tries to validate the signature at a later time using a signature validation software like DSS (Digital Signature Service) WebApp, either after the certificate’s expiration or revocation, the validation fails.

This happens because Acrobat’s default behavior is not conformant with the PAdES (PDF Advanced Electronic Signature) baseline profile. Its default settings do not include the mandatory “message-digest” attribute (and other signed attributes) which is enforced by the default DSS validation policy.

Acrobat offers a different signature option which does contain the “message-digest” attribute and passes validation by the DSS app successfully but needs the user to change the default settings of the application.

To do this, the user has to open Acrobat’s “Creation and Appearance Preferences” and choose CAdES-Equivalent as the Default Signing Format.

Finally, it is highly recommended that the checkbox “Include signature’s revocation status” is selected so the signature is LTV (Long Term Validation) enabled.

HARICA achievements

Sky is the limit

All of us involved in HARICA’s activities as a “Qualified Trust Service Provider (QTSP)” share a common philosophy that can be summed up in the words of Henry Ford: “If everyone moves forward in sync, then success comes naturally”.

A few years ago, we decided to expand our activities beyond the Academic and Research boundaries. Since then, our projects have exceeded our initial expectations and we feel deeply honored to be trusted by high-profile leading organizations, institutions, public and private, in Greece, in Europe and in the rest of the world.

The e-platform gov.gr of the Ministry of Digital Governance issues millions of digital documents, including Covid Vaccination Certificates, e-declarations and authorizations with HARICA’s e-Seal as well as the Central Electronic Document Management System (mindigital-shde.gr) issuing Remote Qualified Electronic Signatures for Public Administration to civil servants for signing legally binding documents as defined in the eIDAS regulation. The e-platform diavgeia.gov.gr uses HARICA certificates to formally announce governmental and administrative decisions and resolutions. The e-National Social Security Fund (e-Efka) uses HARICA’s e-Seal and Server Certificates. EYATH, (Thessaloniki Water Supply and Sewerage Company) trusted us for the Qualified eSignatures and the Email Certificates (S/MIME) of its employees.

The Council of State, Administrative Regions of Greece, the Ministry of Labour of Cyprus, Municipalities, Professional Chambers, the Supreme Attorneys Associations, Notary Associations as well as European Organizations such as EU Agency for the Cooperation of Energy Regulators (ACER), CEDEFOP and private companies such as BETA CAE, KLEEMANN and SPACE HELLAS are a few of HARICA’s high-profile Subscribers that have entrusted us for adding security to their digital services.

Big Social and News networks such as Facebook use HARICA’s wildcard certificates, providing encrypted communications and data security to billions of their users.

In the demanding field of electronic payments, we issue PSD2 digital certificates in accordance with the European Payment Services Directive 2 (PSD2) and Regulation 910/2014 (eIDAS), providing the highest level of security. This is why banking institutions such as ALPHA BANK, OPTIMA BANK and Third-party Payment Provider (TPP) companies such as CARDLINK, MIA PAGO Ltd, Perlas Finance, and Money Capp trust HARICA to secure their electronic transactions.

Our accomplishments do not make us complacent, they motivate us to continue our efforts with even more enthusiasm, but also with more knowledge and experience to improve and expand HARICA’s trusted services, because for us “only sky is the limit”.

Thank you!

HARICA introduces new 2021 hierarchy for SSL/TLS Certificates

We are pleased to announce that on the 1st of June 2022, HARICA will switch the issuance of SSL/TLS certificates to its 2021 Root TLS Certification Authorities.

Both HARICA TLS RSA Root CA 2021 and HARICA TLS ECC Root CA 2021 are already pre-installed on Windows operating systems as well on macOS 12 providing the necessary trust anchor for Google Chrome, Microsoft Edge and other popular Internet Browsers. In addition, Mozilla Firefox has updated its Certificate Store with HARICA’s new RootsCAs.

For older operating systems and browsers, HARICA issued two additional cross-certificates to chain the 2021 hierarchy with the older 2015 one for increased ubiquity.

Both HARICA TLS Root 2021 ECC and RSA cross-certificates can be used by our subscribers in their certificate chain files to cover the majority of browsers regardless of their version.

Remote Qualified Electronic Signature with 50% discount

UPDATE

Following the high demand for eSignatures, HARICA decided to extend the discount period till the end of February 2022.

Why use a Qualified Electronic Signature?

Use the electronic signature to digitally sign documents (PDF) and ensure the authenticity and integrity of their content. Since legally binding (cross-border in the European Union) you can use the electronic signature in:

• Contracts (sales, employment, lease, insurance, etc.)
• Transactions (e-commerce, online banking, tenders, etc.)
• Administrative procedures (requests to public sectors, etc.)

Offer information

The offer is valid from 1/12/2021 until 31/01/2022 and is addressed to professionals, e.g. engineers, lawyers, notaries, etc. The offer is about the purchase of a Remote Qualified Electronic Signature with 1-4 years validity period.

Get the offer

The interested party must contact support@harica.gr stating his/her business details. Then, he/she will receive a 50% discount coupon, which he/she can use when completing the order.