Cert Service Webinar Evaluation

[E Todd Atkins <>]

I currently use the API to submit new certificate requests. However, I must 
logon to the certificate manager to either approve, decline, and/or edit the 
request since there are no documented functions for performing these actions. 
I would like to be able to perform more of the same actions from the API as I 
can from logging onto the certificate manager.  

> On Nov 18, 2015, at 11:22, Paul Caskey 
> <>
>  wrote:
> 
> Thanks, Todd!
> 
> Could you give a brief example of what sort of improvement we'd be 
> considering?  I've not used the API, so I'm not sure it's like.
> 
> 
>> -----Original Message-----
>> From: E Todd Atkins 
>> [mailto:]
>> Sent: Wednesday, November 18, 2015 12:51 PM
>> To: Paul Caskey
>> Cc: Basney, Jim; Ann West; 
>> 
>> Subject: Re: [CertSvc Review] feedback on survey
>> 
>> I think “API improvements” should be included in item #8
>> 
>>> On Nov 18, 2015, at 09:19, Paul Caskey 
>>> <>
>>>  wrote:
>>> 
>>> Thank you again, Jim, for the feedback.  I made the suggested changes
>> detailed below.
>>> 
>>> The survey is now ready to go to the community, pending any last-minute
>> changes that any of you think is needed.
>>> 
>>> I will wait until tomorrow to send out the survey, so *please* take a 
>>> look at it,
>> if you haven’t already and let me know what you think.  The survey will be 
>> sent
>> under the auspices of this working group.
>>> 
>>> Thank you all for your input!
>>> 
>>> 
>>> 
>>> Changes made this morning (wording changes in bold – new versions below):
>>> 
>>> For non-subscribers:
>>> “Do you have any questions about, comments on, or features desired in the
>> InCommon Certificate Service offering that could influence your decision to
>> subscribe in the future?”
>>> 
>>> “What is the most challenging part of certificate lifecycle management in
>> your experience with the InCommon Certificate Service? Please choose your
>> top three.”
>>> 
>>> “Federation/SSO for the Certificate Manager system (RAO/DRAO access)”
>>> 
>>> “Federation/SSO for the Certificate Manager system for User Certificate 
>>> self-
>> enrollment”
>>> 
>>> 
>>> 
>>> 
>>> From: Basney, Jim 
>>> [mailto:]
>>> Sent: Tuesday, November 17, 2015 3:53 PM
>>> To: Paul Caskey
>>> Cc: Ann West; 
>>> 
>>> Subject: Re: [CertSvc Review] feedback on survey
>>> 
>>> Right, since the user details (name, email) are already in our SAML
>> assertions, no need to separately upload the user details to Comodo. Let 
>> the
>> users log in directly via SAML to get their user certs (i.e., like
>> https://cilogon.org/ does). If you only want some users to be able to get 
>> certs,
>> then define an eduPersonEntitlement for it. Using SAML authentication for
>> certificate issuance rather than email invitations significantly increases 
>> the
>> level of assurance of the certificate, I think.
>>> 
>>> On 11/17/15, 3:32 PM, Paul Caskey wrote:
>>> Hi Jim-
>>> 
>>> Very good points on 1 and 2, but I need a little help understanding #3.  
>>> Are
>> you saying that end users could authenticate via fed/sso and retrieve a 
>> cert?  In
>> the current setup, the RAO would need to enter/upload their user details 
>> first
>> and send them an invitation.  We’d need to discuss with Comodo how that
>> might work, but I like the idea.  Let me know if I am misunderstanding it…
>> Otherwise, we’ll chat with Comodo about the idea on our next call (FWIW, I
>> was able to login to CCM Dev via shib last week, so we’re getting close.).
>>> 
>>> 
>>> Thanks much!
>>> 
>>> 
>>> 
>>> 
>>> From: Basney, Jim 
>>> [mailto:]
>>> Sent: Tuesday, November 17, 2015 3:26 PM
>>> To: Paul Caskey
>>> Cc: Ann West; 
>>> 
>>> Subject: Re: [CertSvc Review] feedback on survey
>>> 
>>> Hi,
>>> 
>>> I think the "Additional Questions - Not a Current Subscriber" option 
>>> should
>> include an optional question asking, "Do you have any questions or comments
>> on the InCommon Certificate Service offering that could influence your 
>> decision
>> to subscribe in the future?" In other words, it'd be good to find out why 
>> they are
>> not subscribers and if there's something InCommon could do to change their
>> mind.
>>> 
>>> For "What is the most challenging part of certificate lifecycle 
>>> management?"
>> I suggest adding "in your experience with the InCommon Cert Service?" In 
>> other
>> words, we're not asking for a theoretical opinion about certificate 
>> lifecycle
>> management but rather for their experience of the InCommon Cert Service.
>>> 
>>> Under potential enhancements we have "Federation/SSO for the Certificate
>> Manager system" but not "Federation/SSO for user self-enrollment". I think 
>> the
>> former is about RAOs and DRAOs logging in to the Cert Manager for approving
>> requests but the latter is about user's logging in to get their 
>> certificates directly
>> (i.e., like with CILogon) to eliminate manual RAO/DRAO approval. I think 
>> TCS
>> supports that now.
>>> 
>>> Otherwise looks great!
>>> 
>>> -Jim
>>> 
>>> On 11/13/15, 4:30 PM, 
>>> 
>>>  on behalf of
>> Paul Caskey wrote:
>>> Hello Cert Service Review group-
>>> 
>>> The initial feedback on the survey has been incorporated into survey 
>>> monkey.
>>> 
>>> The survey is located here: https://www.surveymonkey.com/r/InCommon-
>> certs
>>> 
>>> Please take a look at the survey and provide any additional feedback by 
>>> the
>> end of the day this next Tuesday, 11/17.  Please check the branching that 
>> has
>> been put into the survey (mainly on the first question).
>>> 
>>> We’ll incorporate any additional feedback we receive and hope to send it 
>>> out
>> to the community on Wednesday.
>>> 
>>> My apologies for the late notice.  Time is getting tight to get this done 
>>> before
>> the holidays.
>>> 
>>> 
>>> Thank you all!
>