As promised, an update on the CA usability:
Once again, a reminder that the CA web page is
http://www.grid-support.ac.uk/ca/
and people should not go to the CA online server
(ca.grid-support.ac.uk) until they are ready to request a
certificate. Numerous web pages have linked to the latter
when they should have linked to the former.
I forwarded Stephen's comments to the GOSC on 21 Oct, and
have asked them for feedback. I am also going to review it
and update it myself, but for now I have focused on the CA code.
Of course they have already seen Alan Flavell's comments, I
will review those as well. I have already had some feedback
which I will forward to Stephen.
A note on browser support. We support IE and the "Mozilla
family" (officially Firefox). All Mozilla family browsers
should work.
What's new:
CA sends email reminders to users and the RA operators when
a new request goes in, and when a renewal has been requested.
The user email contains the names of the CA operators to go
to. If for some reason there is none, the CA alerts the GOSC.
This needs more debugging but it's an exotic case so not #1
priority.
RA ops always got email but now it includes a URL that takes
them straight to the request rather than having to search for it
first.
If you request (not renew) a certificate when one exists already,
the request is denied. This is now clearer, the system doesn't
let you generate the request, but puts you back to the web
form (the solution being either to do a renewal or to alter
the information to make the DN unique). It still needs a bit
of cosmetic highlighted warning but it has improved significantly.
Access denied messages now tell you which serial it checked against
the ACL; helpful for people with more than one certificate (like
me on the test system, or RAs with host certs in their browser and
the browser sends the wrong cert). Or if you're an RA and someone on
our side has *(#(*^%^ed up your permissions (not entirely unknown,
I fear).
The pkcs#10 system is unchanged; people who use this are expected
to know what they're doing.
This is deployed as of today, along with a bugfix. Expect a few
tweaks over the next week. Some people will have been affected
by the bug (likely without knowing it); the GOSC and I will be in
touch over the next 1-2 weeks.
-------------------
Next on my todo list (in no particular order):
- command line tools. We have one in python which is relatively
poorly documented and is a hack, so the best thing may be to rewrite
it (in Perl of course :-). It is also used for bulk requests.
The bulk signing procedure will need a little streamlining.
- I thought about make the request more "wizardly". I.e., like you
get with online retailers (step 1 log in, 2 select product, 3 select
address, 4 payment, 5 confirmation). Maybe just one more step
is needed - one to select the RA. I may implement it and ask for
feedback.
- RA preselections. It should be possible to make an educated guess
about what the user's RA should be, based on the remote address. The
disadvantage is obviously that if it selects the wrong one, it will
be even more confusing for the novice user. Either it will learn by
mapping IP addr to RAs, or do reverse DNS and have a heuristic mapping.
Relying on reverse DNS presents its own problems too.
- Review documentation.
-------------------
I will aim to send another update by 2 Dec (or earlier).
Cheers,
--jens
|