Cert Service Webinar Evaluation

[Paul Caskey <>]

Done - thank you for your feedback!


> -----Original Message-----
> From: E Todd Atkins 
> [mailto:]
> Sent: Wednesday, November 18, 2015 2:07 PM
> To: Paul Caskey
> Cc: Basney, Jim; Ann West; 
> 
> Subject: Re: [CertSvc Review] feedback on survey
> 
> That looks good to me.
> 
> > On Nov 18, 2015, at 12:00, Paul Caskey 
> > <>
> >  wrote:
> >
> > OK, thanks!
> >
> > So, how about adding this to potential future improvements: "API
> improvements (additional functions)"??
> >
> >
> >
> >> -----Original Message-----
> >> From: E Todd Atkins 
> >> [mailto:]
> >> Sent: Wednesday, November 18, 2015 1:58 PM
> >> To: Paul Caskey
> >> Cc: Basney, Jim; Ann West; 
> >> 
> >> Subject: Re: [CertSvc Review] feedback on survey
> >>
> >> I currently use the API to submit new certificate requests. However,
> >> I must logon to the certificate manager to either approve, decline,
> >> and/or edit the request since there are no documented functions for
> performing these actions.
> >> I would like to be able to perform more of the same actions from the
> >> API as I can from logging onto the certificate manager.
> >>
> >>> On Nov 18, 2015, at 11:22, Paul Caskey 
> >>> <>
> >>>  wrote:
> >>>
> >>> Thanks, Todd!
> >>>
> >>> Could you give a brief example of what sort of improvement we'd be
> >> considering?  I've not used the API, so I'm not sure it's like.
> >>>
> >>>
> >>>> -----Original Message-----
> >>>> From: E Todd Atkins 
> >>>> [mailto:]
> >>>> Sent: Wednesday, November 18, 2015 12:51 PM
> >>>> To: Paul Caskey
> >>>> Cc: Basney, Jim; Ann West; 
> >>>> 
> >>>> Subject: Re: [CertSvc Review] feedback on survey
> >>>>
> >>>> I think “API improvements” should be included in item #8
> >>>>
> >>>>> On Nov 18, 2015, at 09:19, Paul Caskey 
> >>>>> <>
> >>>>>  wrote:
> >>>>>
> >>>>> Thank you again, Jim, for the feedback.  I made the suggested
> >>>>> changes
> >>>> detailed below.
> >>>>>
> >>>>> The survey is now ready to go to the community, pending any
> >>>>> last-minute
> >>>> changes that any of you think is needed.
> >>>>>
> >>>>> I will wait until tomorrow to send out the survey, so *please*
> >>>>> take a look at it,
> >>>> if you haven’t already and let me know what you think.  The survey
> >>>> will be sent under the auspices of this working group.
> >>>>>
> >>>>> Thank you all for your input!
> >>>>>
> >>>>>
> >>>>>
> >>>>> Changes made this morning (wording changes in bold – new versions
> >> below):
> >>>>>
> >>>>> For non-subscribers:
> >>>>> “Do you have any questions about, comments on, or features desired
> >>>>> in the
> >>>> InCommon Certificate Service offering that could influence your
> >>>> decision to subscribe in the future?”
> >>>>>
> >>>>> “What is the most challenging part of certificate lifecycle
> >>>>> management in
> >>>> your experience with the InCommon Certificate Service? Please
> >>>> choose your top three.”
> >>>>>
> >>>>> “Federation/SSO for the Certificate Manager system (RAO/DRAO
> access)”
> >>>>>
> >>>>> “Federation/SSO for the Certificate Manager system for User
> >>>>> Certificate self-
> >>>> enrollment”
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>> From: Basney, Jim 
> >>>>> [mailto:]
> >>>>> Sent: Tuesday, November 17, 2015 3:53 PM
> >>>>> To: Paul Caskey
> >>>>> Cc: Ann West; 
> >>>>> 
> >>>>> Subject: Re: [CertSvc Review] feedback on survey
> >>>>>
> >>>>> Right, since the user details (name, email) are already in our
> >>>>> SAML
> >>>> assertions, no need to separately upload the user details to Comodo.
> >>>> Let the users log in directly via SAML to get their user certs
> >>>> (i.e., like https://cilogon.org/ does). If you only want some users
> >>>> to be able to get certs, then define an eduPersonEntitlement for
> >>>> it. Using SAML authentication for certificate issuance rather than
> >>>> email invitations significantly increases the level of assurance of
> >>>> the certificate, I
> >> think.
> >>>>>
> >>>>> On 11/17/15, 3:32 PM, Paul Caskey wrote:
> >>>>> Hi Jim-
> >>>>>
> >>>>> Very good points on 1 and 2, but I need a little help
> >>>>> understanding #3.  Are
> >>>> you saying that end users could authenticate via fed/sso and
> >>>> retrieve a cert?  In the current setup, the RAO would need to
> >>>> enter/upload their user details first and send them an invitation.
> >>>> We’d need to discuss with Comodo how that might work, but I like
> >>>> the idea.  Let me know if I am misunderstanding it… Otherwise,
> >>>> we’ll chat with Comodo about the idea on our next call (FWIW, I was
> >>>> able to login to CCM Dev via
> >> shib last week, so we’re getting close.).
> >>>>>
> >>>>>
> >>>>> Thanks much!
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>> From: Basney, Jim 
> >>>>> [mailto:]
> >>>>> Sent: Tuesday, November 17, 2015 3:26 PM
> >>>>> To: Paul Caskey
> >>>>> Cc: Ann West; 
> >>>>> 
> >>>>> Subject: Re: [CertSvc Review] feedback on survey
> >>>>>
> >>>>> Hi,
> >>>>>
> >>>>> I think the "Additional Questions - Not a Current Subscriber"
> >>>>> option should
> >>>> include an optional question asking, "Do you have any questions or
> >>>> comments on the InCommon Certificate Service offering that could
> >>>> influence your decision to subscribe in the future?" In other
> >>>> words, it'd be good to find out why they are not subscribers and if
> >>>> there's something InCommon could do to change their mind.
> >>>>>
> >>>>> For "What is the most challenging part of certificate lifecycle
> >> management?"
> >>>> I suggest adding "in your experience with the InCommon Cert Service?"
> >>>> In other words, we're not asking for a theoretical opinion about
> >>>> certificate lifecycle management but rather for their experience of
> >>>> the
> >> InCommon Cert Service.
> >>>>>
> >>>>> Under potential enhancements we have "Federation/SSO for the
> >>>>> Certificate
> >>>> Manager system" but not "Federation/SSO for user self-enrollment".
> >>>> I think the former is about RAOs and DRAOs logging in to the Cert
> >>>> Manager for approving requests but the latter is about user's
> >>>> logging in to get their certificates directly (i.e., like with
> >>>> CILogon) to eliminate manual RAO/DRAO approval. I think TCS supports
> that now.
> >>>>>
> >>>>> Otherwise looks great!
> >>>>>
> >>>>> -Jim
> >>>>>
> >>>>> On 11/13/15, 4:30 PM, 
> >>>>> 
> >>>>>  on
> >>>>> behalf of
> >>>> Paul Caskey wrote:
> >>>>> Hello Cert Service Review group-
> >>>>>
> >>>>> The initial feedback on the survey has been incorporated into
> >>>>> survey
> >> monkey.
> >>>>>
> >>>>> The survey is located here:
> >>>>> https://www.surveymonkey.com/r/InCommon-
> >>>> certs
> >>>>>
> >>>>> Please take a look at the survey and provide any additional
> >>>>> feedback by the
> >>>> end of the day this next Tuesday, 11/17.  Please check the
> >>>> branching that has been put into the survey (mainly on the first 
> >>>> question).
> >>>>>
> >>>>> We’ll incorporate any additional feedback we receive and hope to
> >>>>> send it out
> >>>> to the community on Wednesday.
> >>>>>
> >>>>> My apologies for the late notice.  Time is getting tight to get
> >>>>> this done before
> >>>> the holidays.
> >>>>>
> >>>>>
> >>>>> Thank you all!
> >>>
> >