Harica: Issuance and refusal to revoke TLS certificates for sanctioned entities
6 hours ago
- #EU Sanctions
- #CA Compliance
- #TLS Certificates
- HARICA, a Greek CA, is issuing TLS certificates to EU-sanctioned Russian entities such as Sberbank, VTB, and KAMAZ, despite reported violations.
- HARICA refused to revoke these certificates, arguing that DV certificates require no identity verification and thus no sanctions screening.
- Researchers identified over 170 active HARICA certificates for sanctioned entities, including state banks, defense contractors, and cyber-related organizations.
- HARICA's stance contrasts with other CAs like Let's Encrypt and GlobalSign, which revoked similar certificates upon notification.
- Escalations have been made to HARICA's auditor (QMSCERT) and Greek regulatory bodies (EETT) for non-compliance with EU sanctions.
- HARICA maintains that legal or regulatory direction is needed for action, while critics argue willful blindness and policy choices enable sanctions evasion.
- The issue highlights a systemic compliance failure, with HARICA becoming a 'sanctions-busting fallback' for blocked entities migrating from other CAs.