Dear all,
As some of you may have heard, we are finally getting round to close
down the old CA hierarchy (the one where an encrypted copy of the root's
private key mysteriously went walkabout).
Most users have long been moved over, for the remaining ones we decided
to try out a new method: re-signing certificates under the new key pair.
This method could make people's lives easier in the future because we
can to a larger extent automate the process, like a certificate
"subscription" - you simply get a new one when you need it. (RA will
still be involved but I want to disassociate the RA approval step from
the issuance step further.)
My hidden agenda is to make the CA better able to scale to handling the
large numbers of requests it's handling. This will have to be done in
steps to avoid disrupting normal services.
For more information about the current process, please refer to the
following page:
http://www.grid-support.ac.uk/content/view/399/1/
The users who have been "volunteered" for the trial have already been
contacted (apart from some for whom the signing failed, they should
receive theirs later today.) If you haven't been "volunteered", you
don't need to do anything, the old certificates will automatically drop
out of the distribution at the next release.
The only gotcha is a bug in IE which I have one report about so far.
For users with personal certificates in IE, they may have to do an old
fashioned renewal. If I can replicate the bug, I will file a bug report
with MS.
Cheers
--jens
|