Hi Stuart, *,
I also got this response now from Alexey:
--------------------------------
Emmanuel was looking into it and it appeared to be not that simple to
deploy this certificate. It is stored in several intersecting services
in the domain and once we deployed it last time something stopped
working. It took us long time to solve the consequences and even if the
workaround stopped working we do not want to repeat this exercise.
I hope you will understand us in our vision that the overall
reliability of CERN domain is of a higher priority than the need to type
in the password for several users even if they come from a well-known
and acknowledged CA. Let us at least wait for September and see how it goes.
--------------------------------
- which of course they could have told me the first time! but never
mind. ("September" refers to the rollover certificates which went out
in 1.39.)
<brainstorm>
- lean on someone higher up the chain?
- do without SSO @ CERN for a while?
- find a workaround for Windows and suggest it to them?
- rekey certificates for people who need CERN SSO under the rollover CAs
already?
</brainstorm>
Any thoughts? If anyone volunteers, I'd be interested in trying out
option 4 - if we rekey you under one of the new certificates, does it
solve the problem?
Incidentally, it is not just the UK, it's also DoESG.
Cheers
--jens
On 27/06/2011 13:51, Stuart Wakefield wrote:
> fyi, i just got this:
>
> A solution has been provided for your incident: INC044399.
>
> Solution
> Hello Stuart,
> Please check the reply from Certificate administrators below :
> Currently the situation is as follows: Public UK e-Science
> Intermediate CA certificate doesn't contain special extensions to be
> compliant with additional security policies introduced in Windows
> Server 2008 R2 our SSO system is based on these policies. Temporary
> workaround is currently not working and there is no visible solution
> except for addressing this case to UK e-Science to fix the CA
> certificate. As UK e-Science seems to be an exception (every other CA
> complies with the policy) we cannot focus on the workaround for it for
> the moment.
> Thanks for your understanding.
>
> Cheers
> Stuart
>
> On Fri, Jun 17, 2011 at 5:57 PM, Jens Jensen <[log in to unmask]> wrote:
>> I have received a response from CERN (Alexey) saying "they are aware of
>> the problem and investigating it."
>>
>> I'll let you know how we get on...
>>
>> Thanks
>> --jens
>>
>>
|