 |
 |
Actually Jethro, that is a really interesting point. As TERENA procure the server certificate service under EU procurement laws that requires a reprocurement every 3 - 5 years, and yet you sign up for a 1,2, or 3 year certificate, there was always a chance that certificates would be issued that rolled beyond the end of the contractual date of the SCS. I know that TERENA are looking to strengthen the contract with future suppliers so they will honour certificates beyond the cut-off date in future, so we should see an improvement here. The reason for the change is simply EU procurement rules. You can expect that there might be in a change in the SCS every 3 years or so because of this, unless the current contractor is successful for a second term, so it is worth bearing in mind. Believe it or not, it has been three years! On the upside, normally you would have to remember when your certificates expired yourself, and now you will have us to constantly remind you until April! I do believe the new service process is much quicker and easier than the current GlobalSign approach. JANET will issue some federation-specific advice shortly but it is worth following the advice of the SCS and changing across to Comodo certificates via their instructions. You can of course chose to stay with GlobalSign if you happen to like their flavour of certificates, but will need to pay according to their normal rates. Jethro R Binks wrote: > On Tue, 29 Sep 2009, Roberts A.L. wrote: > > >> "Isn't all trust based on monetary transactions?" >> >> No. I usually only trust people or organisations that don't create >> problems and needless support headaches. Unfortunately in this instance >> my trust has been misplaced. >> >> Just how much money is being saved by this change anyway? Who should we >> bill for all the time and effort expended as a result of yet another >> enforced change without adequate consultation. >> > > To be fair, if it makes the current process any easier (which it promises > to do), then that's no bad thing. Also, I have been advised that the new > system will properly support subjectAltname certificates, which will make > life easier in particular for some people running Windows services that > require them (e.g., Exchange 2007). > > The annoying part is that the chance are a lot of certificates will be > re-done in a short amount of time. Which means when they come up for > renewal 1 or 3 years later, that will likely be a lot of certificates that > need to be done in a short amount of time again. Of course, in their > natural lifespan, they would be largely spread through the year, which > makes it more manageable. And of course we will also have to update local > documentation, scripts and procedures which is tedious. > > Caleb's comment that Globalsign are saying something different to JANET is > interesting. Maybe Caleb could get back to them and ask them to > explicitly verify or refute that particular part of what JTAG have said. > > Jethro. > > > >> AL >> >> Mr. Alexander Roberts >> Web Development Officer >> Library and Information Services >> Swansea University/Prifysgol Abertawe >> >> http://www.swan.ac.uk/lis >> >> +44 (0)1792 513239 >> >> >> >> -----Original Message----- >> From: Discussion list for Shibboleth developments [mailto:[log in to unmask]] On Behalf Of Nicole HARRIS >> Sent: 29 September 2009 09:54 >> To: [log in to unmask] >> Subject: Re: GlobalSign vs Comodo >> >> Not to worry all, my team will be working with JANET to monitor people as they move across to Comodo and will relentlessly chase anyone who hasn't updated to the new service in the meantime. We are good at relentless! >> >> Best piece of advice I can give you is to make sure your technical contact details are up to date for both the uk federation and the scs service. These changes normally go wrong because things sit in people's inboxes and get ignored. >> >> Isn't all trust based on monetary transactions? "I promise to pay the bearer..." :) I just wish the new supplier didn't constantly remind me of toilets.... >> -------------------------- >> Sent using BlackBerry >> >> >> ----- Original Message ----- >> From: Discussion list for Shibboleth developments <[log in to unmask]> >> To: [log in to unmask] <[log in to unmask]> >> Sent: Tue Sep 29 09:35:32 2009 >> Subject: Re: GlobalSign vs Comodo >> >> >>> Customers must be aware that under the present GlobalSign contract >>> all current and valid certificates will be revoked by GlobalSign wef >>> 9 April 2010, and not at the end of their natural lifespan >>> >> that's what I read - amazing to think that because money is not >> changing hands, the trust is no longer valid. There's a word for that... >> >> Alistair >> >> >> -- >> mov eax,1 >> mov ebx,0 >> int 80h >> >> >> >> >> On 29 Sep 2009, at 09:29, Williams, John wrote: >> >> >>> Apparently all certificates will expire in April 2010: >>> >>> From: JTAG: SCS/UKFed [mailto:[log in to unmask]] >>> Sent: 28 September 2009 14:10 >>> To: JTAG: SCS/UKFed >>> Subject: JANET Server Certificate Service UPDATE >>> >>> Hello, >>> >>> As a current member of our Server Certificate Service we would like >>> to make you aware of some forthcoming changes to the service. >>> >>> JANET(UK) has signed up to a new TERENA contract for server >>> certificates to be provided by Comodo, which will go live before the >>> end of this year, with notification of the exact date to be sent to >>> all current registrants once confirmed. Our existing contract for >>> server certificates issued by GlobalSign (through TERENA) will >>> expire in January 2010. All existing customers of our Server >>> Certificate Service will be invited to sign up for the new service >>> in readiness for the system going live. >>> >>> Once the new certificate service is in place and you have registered >>> to use the service, your organisation's authorised persons will be >>> given access to an online account. A significant benefit will be >>> the ability for customers to approve or deny their own certificates >>> without the need to print, sign and return them individually to >>> JANET(UK) for processing. >>> All aspects of validating individual certificate requests will be >>> fully automated, thus improving the turnaround time for all >>> certificate requests. Authorised persons will also be able to >>> retrieve any / all certificates associated with their organisation >>> and perform revocation functions directly. JANET(UK) will continue >>> to absorb the cost of providing the certificates under this new >>> system, so there will continue to be no onward charging to >>> organisations. >>> >>> Customers must be aware that under the present GlobalSign contract >>> all current and valid certificates will be revoked by GlobalSign wef >>> 9 April 2010, and not at the end of their natural lifespan. However >>> we would like to assure you that we are still open for business and >>> will continue to issue certificates, and are in the process of >>> developing a transition plan to make the crossover to the new >>> service as smooth and easy as possible for organisations. >>> >>> If you should have any queries as a result of these changes please >>> direct them to [log in to unmask] in the first instance. >>> >>> Best wishes, >>> >>> Shirley Wood >>> >>> -- >>> This communication is intended solely for the addressee The message >>> should not be forwarded to any third party without the agreement of >>> the sender. >>> -- >>> John Williams >>> ISA >>> Aston University >>> >>> -----Original Message----- >>> From: Discussion list for Shibboleth developments [mailto:[log in to unmask] >>> ] On Behalf Of caleb racey >>> Sent: 29 September 2009 09:19 >>> To: [log in to unmask] >>> Subject: Re: GlobalSign vs Comodo >>> >>> It's all Chinese whispers but one of my colleagues asked for >>> clarification from glaobalsign and got the reply >>> >>> " As requested I would like to confirm that GlobalSign will not >>> revoke any of your existing certificates. " >>> >>> So they are stopping issuing new certs but old certs should be valid >>> until they naturally expire. >>> >>> >>> >>> >>>> -----Original Message----- >>>> From: Discussion list for Shibboleth developments [mailto:JISC- >>>> [log in to unmask]] On Behalf Of Alistair Young >>>> Sent: 29 September 2009 08:03 >>>> To: [log in to unmask] >>>> Subject: GlobalSign vs Comodo >>>> >>>> just a wee q about certs in the fed. I've just heard JANET are moving >>>> to Comodo and all certs issued under the existing scheme with >>>> GobalSign will be revoked next April, no matter what their expiration >>>> date is. Will Comodo certs work ok in the federation? >>>> >>>> thanks, >>>> >>>> Alistair >>>> >>>> >>>> -- >>>> mov eax,1 >>>> mov ebx,0 >>>> int 80h >>>> > > . . . . . . . . . . . . . . . . . . . . . . . . . > Jethro R Binks > Computing Officer, IT Services, University Of Strathclyde, Glasgow, UK >