Cert Service Webinar Evaluation

[Paul Caskey <>]

Thanks, Todd!

Could you give a brief example of what sort of improvement we'd be 
considering?  I've not used the API, so I'm not sure it's like.


> -----Original Message-----
> From: E Todd Atkins 
> [mailto:]
> Sent: Wednesday, November 18, 2015 12:51 PM
> To: Paul Caskey
> Cc: Basney, Jim; Ann West; 
> 
> Subject: Re: [CertSvc Review] feedback on survey
> 
> I think “API improvements” should be included in item #8
> 
> > On Nov 18, 2015, at 09:19, Paul Caskey 
> > <>
> >  wrote:
> >
> > Thank you again, Jim, for the feedback.  I made the suggested changes
> detailed below.
> >
> > The survey is now ready to go to the community, pending any last-minute
> changes that any of you think is needed.
> >
> > I will wait until tomorrow to send out the survey, so *please* take a 
> > look at it,
> if you haven’t already and let me know what you think.  The survey will be 
> sent
> under the auspices of this working group.
> >
> > Thank you all for your input!
> >
> >
> >
> > Changes made this morning (wording changes in bold – new versions below):
> >
> > For non-subscribers:
> > “Do you have any questions about, comments on, or features desired in the
> InCommon Certificate Service offering that could influence your decision to
> subscribe in the future?”
> >
> > “What is the most challenging part of certificate lifecycle management in
> your experience with the InCommon Certificate Service? Please choose your
> top three.”
> >
> > “Federation/SSO for the Certificate Manager system (RAO/DRAO access)”
> >
> > “Federation/SSO for the Certificate Manager system for User Certificate 
> > self-
> enrollment”
> >
> >
> >
> >
> > From: Basney, Jim 
> > [mailto:]
> > Sent: Tuesday, November 17, 2015 3:53 PM
> > To: Paul Caskey
> > Cc: Ann West; 
> > 
> > Subject: Re: [CertSvc Review] feedback on survey
> >
> > Right, since the user details (name, email) are already in our SAML
> assertions, no need to separately upload the user details to Comodo. Let the
> users log in directly via SAML to get their user certs (i.e., like
> https://cilogon.org/ does). If you only want some users to be able to get 
> certs,
> then define an eduPersonEntitlement for it. Using SAML authentication for
> certificate issuance rather than email invitations significantly increases 
> the
> level of assurance of the certificate, I think.
> >
> > On 11/17/15, 3:32 PM, Paul Caskey wrote:
> > Hi Jim-
> >
> > Very good points on 1 and 2, but I need a little help understanding #3.  
> > Are
> you saying that end users could authenticate via fed/sso and retrieve a 
> cert?  In
> the current setup, the RAO would need to enter/upload their user details 
> first
> and send them an invitation.  We’d need to discuss with Comodo how that
> might work, but I like the idea.  Let me know if I am misunderstanding it…
> Otherwise, we’ll chat with Comodo about the idea on our next call (FWIW, I
> was able to login to CCM Dev via shib last week, so we’re getting close.).
> >
> >
> > Thanks much!
> >
> >
> >
> >
> > From: Basney, Jim 
> > [mailto:]
> > Sent: Tuesday, November 17, 2015 3:26 PM
> > To: Paul Caskey
> > Cc: Ann West; 
> > 
> > Subject: Re: [CertSvc Review] feedback on survey
> >
> > Hi,
> >
> > I think the "Additional Questions - Not a Current Subscriber" option 
> > should
> include an optional question asking, "Do you have any questions or comments
> on the InCommon Certificate Service offering that could influence your 
> decision
> to subscribe in the future?" In other words, it'd be good to find out why 
> they are
> not subscribers and if there's something InCommon could do to change their
> mind.
> >
> > For "What is the most challenging part of certificate lifecycle 
> > management?"
> I suggest adding "in your experience with the InCommon Cert Service?" In 
> other
> words, we're not asking for a theoretical opinion about certificate 
> lifecycle
> management but rather for their experience of the InCommon Cert Service.
> >
> > Under potential enhancements we have "Federation/SSO for the Certificate
> Manager system" but not "Federation/SSO for user self-enrollment". I think 
> the
> former is about RAOs and DRAOs logging in to the Cert Manager for approving
> requests but the latter is about user's logging in to get their 
> certificates directly
> (i.e., like with CILogon) to eliminate manual RAO/DRAO approval. I think TCS
> supports that now.
> >
> > Otherwise looks great!
> >
> > -Jim
> >
> > On 11/13/15, 4:30 PM, 
> > 
> >  on behalf of
> Paul Caskey wrote:
> > Hello Cert Service Review group-
> >
> > The initial feedback on the survey has been incorporated into survey 
> > monkey.
> >
> > The survey is located here: https://www.surveymonkey.com/r/InCommon-
> certs
> >
> > Please take a look at the survey and provide any additional feedback by 
> > the
> end of the day this next Tuesday, 11/17.  Please check the branching that 
> has
> been put into the survey (mainly on the first question).
> >
> > We’ll incorporate any additional feedback we receive and hope to send it 
> > out
> to the community on Wednesday.
> >
> > My apologies for the late notice.  Time is getting tight to get this done 
> > before
> the holidays.
> >
> >
> > Thank you all!