Actually Jethro, that is a really interesting point.   As TERENA procure the server certificate service under EU procurement laws that requires a reprocurement every 3 - 5 years, and yet you sign up for a 1,2, or 3 year certificate, there was always a chance that certificates would be issued that rolled beyond the end of the contractual date of the SCS.  I know that TERENA are looking to strengthen the contract with future suppliers so they will honour certificates beyond the cut-off date in future, so we should see an improvement here. 

The reason for the change is simply EU procurement rules.  You can expect that there might be in a change in the SCS every 3 years or so because of this, unless the current contractor is successful for a second term, so it is worth bearing in mind.  Believe it or not, it has been three years! 

On the upside, normally you would have to remember when your certificates expired yourself, and now you will have us to constantly remind you until April!  I do believe the new service process is much quicker and easier than the current GlobalSign approach.

JANET will issue some federation-specific advice shortly but it is worth following the advice of the SCS and changing across to Comodo certificates via their instructions.  You can of course chose to stay with GlobalSign if you happen to like their flavour of certificates, but will need to pay according to their normal rates. 


Jethro R Binks wrote:

[log in to unmask]" type="cite">

On Tue, 29 Sep 2009, Roberts A.L. wrote:

  

"Isn't all trust based on monetary transactions?"

No. I usually only trust people or organisations that don't create 
problems and needless support headaches. Unfortunately in this instance 
my trust has been misplaced.

Just how much money is being saved by this change anyway? Who should we 
bill for all the time and effort expended as a result of yet another 
enforced change without adequate consultation.
    

To be fair, if it makes the current process any easier (which it promises 
to do), then that's no bad thing.  Also, I have been advised that the new 
system will properly support subjectAltname certificates, which will make 
life easier in particular for some people running Windows services that 
require them (e.g., Exchange 2007).

The annoying part is that the chance are a lot of certificates will be 
re-done in a short amount of time.  Which means when they come up for 
renewal 1 or 3 years later, that will likely be a lot of certificates that 
need to be done in a short amount of time again.  Of course, in their 
natural lifespan, they would be largely spread through the year, which 
makes it more manageable.  And of course we will also have to update local 
documentation, scripts and procedures which is tedious.

Caleb's comment that Globalsign are saying something different to JANET is 
interesting.  Maybe Caleb could get back to them and ask them to 
explicitly verify or refute that particular part of what JTAG have said.

Jethro.


  

AL

Mr. Alexander Roberts
Web Development Officer
Library and Information Services
Swansea University/Prifysgol Abertawe

http://www.swan.ac.uk/lis

+44 (0)1792 513239



-----Original Message-----
From: Discussion list for Shibboleth developments [mailto:[log in to unmask]] On Behalf Of Nicole HARRIS
Sent: 29 September 2009 09:54
To: [log in to unmask]
Subject: Re: GlobalSign vs Comodo

Not to worry all, my team will be working with JANET to  monitor people as they move across to Comodo and will relentlessly chase anyone who hasn't updated to the new service in the meantime. We are good at relentless!

Best piece of advice I can give you is to make sure your technical contact details are up to date for both the uk federation and the scs service. These changes normally go wrong because things sit in people's inboxes and get ignored.

Isn't all trust based on monetary transactions? "I promise to pay the bearer..." :) I just wish the new supplier didn't constantly remind me of toilets....
--------------------------
Sent using BlackBerry


----- Original Message -----
From: Discussion list for Shibboleth developments <[log in to unmask]>
To: [log in to unmask] <[log in to unmask]>
Sent: Tue Sep 29 09:35:32 2009
Subject: Re: GlobalSign vs Comodo

    

Customers must be aware that under the present GlobalSign contract  
all current and valid certificates will be revoked by GlobalSign wef  
9 April 2010, and not at the end of their natural lifespan
      

that's what I read - amazing to think that because money is not  
changing hands, the trust is no longer valid. There's a word for that...

Alistair


-- 
mov eax,1
mov ebx,0
int 80h




On 29 Sep 2009, at 09:29, Williams, John wrote:

    

Apparently all certificates will expire in April 2010:

From: JTAG: SCS/UKFed [mailto:[log in to unmask]]
Sent: 28 September 2009 14:10
To: JTAG: SCS/UKFed
Subject: JANET Server Certificate Service UPDATE

Hello,

As a current member of our Server Certificate Service we would like  
to make you aware of some forthcoming changes to the service.

JANET(UK) has signed up to a new TERENA contract for server  
certificates to be provided by Comodo, which will go live before the  
end of this year, with notification of the exact date to be sent to  
all current registrants once confirmed.  Our existing contract for  
server certificates issued by GlobalSign (through TERENA) will  
expire in January 2010.  All existing customers of our Server  
Certificate Service will be invited to sign up for the new service  
in readiness for the system going live.

Once the new certificate service is in place and you have registered  
to use the service, your organisation's authorised persons will be  
given access to an online account.  A significant benefit will be  
the ability for customers to approve or deny their own certificates  
without the need to print, sign and return them individually to  
JANET(UK) for processing.
All aspects of validating individual certificate requests will be  
fully automated, thus improving the turnaround time for all  
certificate requests.  Authorised persons will also be able to  
retrieve any / all certificates associated with their organisation  
and perform revocation functions directly.  JANET(UK) will continue  
to absorb the cost of providing the certificates under this new  
system, so there will continue to be no onward charging to  
organisations.

Customers must be aware that under the present GlobalSign contract  
all current and valid certificates will be revoked by GlobalSign wef  
9 April 2010, and not at the end of their natural lifespan.  However  
we would like to assure you that we are still open for business and  
will continue to issue certificates, and are in the process of  
developing a transition plan to make the crossover to the new  
service as smooth and easy as possible for organisations.

If you should have any queries as a result of these changes please  
direct them to [log in to unmask] in the first instance.

Best wishes,

Shirley Wood

--
This communication is intended solely for the addressee  The message  
should not be forwarded to any third party without the agreement of  
the sender.
--
John Williams
ISA
Aston University

-----Original Message-----
From: Discussion list for Shibboleth developments [mailto:[log in to unmask] 
] On Behalf Of caleb racey
Sent: 29 September 2009 09:19
To: [log in to unmask]
Subject: Re: GlobalSign vs Comodo

It's all Chinese whispers but one of my colleagues asked for  
clarification from glaobalsign and got the reply

" As requested I would like to confirm that GlobalSign will not  
revoke any of your existing certificates. "

So they are stopping issuing new certs but old certs should be valid  
until they naturally expire.



      

-----Original Message-----
From: Discussion list for Shibboleth developments [mailto:JISC-
[log in to unmask]] On Behalf Of Alistair Young
Sent: 29 September 2009 08:03
To: [log in to unmask]
Subject: GlobalSign vs Comodo

just a wee q about certs in the fed. I've just heard JANET are moving
to Comodo and all certs issued under the existing scheme with
GobalSign will be revoked next April, no matter what their expiration
date is. Will Comodo certs work ok in the federation?

thanks,

Alistair


--
mov eax,1
mov ebx,0
int 80h
        

  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .
Jethro R Binks
Computing Officer, IT Services, University Of Strathclyde, Glasgow, UK