Multi-Perspective Issuance Corroboration (MPIC)

Starting on March 15, 2025, HARICA will implement Multi-Perspective Issuance Corroboration (MPIC) for Domain Authorization, Control, and Certification Authority Authorization (CAA) Record checks before issuing any TLS Server Authentication Certificates, in accordance with CA/B Forum Baseline Requirements for TLS Server Certificates.

With MPIC, DNS queries for Domain Validation and CAA checks must be verified from multiple, randomly distributed and distant locations across the Internet. If the information corroboration fails (up to a certain level), the certificate issuance will be blocked. Domain Owners must ensure that their Authoritative DNS servers are accessible from the global Internet, allowing the corroboration to be completed without failures that would prevent certificate issuance.

We remind our Subscribers that Publicly-Trusted TLS Server Authentication Certificates are “intended to be used for authenticating servers accessible through the Internet”, as described in the CA/Browser Forum TLS Baseline Requirements.

Mandatory CAA Checks for Mailbox Addresses

Effective March 15, 2025, HARICA will also be required to perform CAA checks for Mailbox Addresses, as mandated by the CA/Browser Forum S/MIME Baseline Requirements.

What You Need to Know:

• Before issuing an S/MIME certificate that includes a Mailbox Address, HARICA will retrieve and process CAA records, similar to the process used for TLS Certificates.
• If your DNS CAA record contains the issuemail tag, it must explicitly include the value “harica.gr”, authorizing HARICA for S/MIME certificate issuance.
• If no issuemail tag is present, no action is required.