Cert Service Webinar Evaluation

["Basney, Jim" <>]

+1 on API improvements.

FWIW, our DRAOs request the following API enhancements:
- specify external requester field
- specify optional subject DN components to omit (Street, Locality)

They also wish for bulk approval through the web interface. Currently
manually approving one-by-one a large batch of certificate request is very
time-consuming.

We'll include the above in our survey response. :)

On 11/18/15, 2:11 PM, Paul Caskey wrote:
>Done - thank you for your feedback!
>
>
>> -----Original Message-----
>> From: E Todd Atkins 
>> [mailto:]
>> Sent: Wednesday, November 18, 2015 2:07 PM
>> To: Paul Caskey
>> Cc: Basney, Jim; Ann West; 
>> 
>> Subject: Re: [CertSvc Review] feedback on survey
>> 
>> That looks good to me.
>> 
>> > On Nov 18, 2015, at 12:00, Paul Caskey 
>> > <>
>> >  wrote:
>> >
>> > OK, thanks!
>> >
>> > So, how about adding this to potential future improvements: "API
>> improvements (additional functions)"??
>> >
>> >
>> >
>> >> -----Original Message-----
>> >> From: E Todd Atkins 
>> >> [mailto:]
>> >> Sent: Wednesday, November 18, 2015 1:58 PM
>> >> To: Paul Caskey
>> >> Cc: Basney, Jim; Ann West; 
>> >> 
>> >> Subject: Re: [CertSvc Review] feedback on survey
>> >>
>> >> I currently use the API to submit new certificate requests. However,
>> >> I must logon to the certificate manager to either approve, decline,
>> >> and/or edit the request since there are no documented functions for
>> performing these actions.
>> >> I would like to be able to perform more of the same actions from the
>> >> API as I can from logging onto the certificate manager.
>> >>
>> >>> On Nov 18, 2015, at 11:22, Paul Caskey 
>> >>> <>
>>wrote:
>> >>>
>> >>> Thanks, Todd!
>> >>>
>> >>> Could you give a brief example of what sort of improvement we'd be
>> >> considering?  I've not used the API, so I'm not sure it's like.
>> >>>
>> >>>
>> >>>> -----Original Message-----
>> >>>> From: E Todd Atkins 
>> >>>> [mailto:]
>> >>>> Sent: Wednesday, November 18, 2015 12:51 PM
>> >>>> To: Paul Caskey
>> >>>> Cc: Basney, Jim; Ann West; 
>> >>>> 
>> >>>> Subject: Re: [CertSvc Review] feedback on survey
>> >>>>
>> >>>> I think ³API improvements² should be included in item #8
>> >>>>
>> >>>>> On Nov 18, 2015, at 09:19, Paul Caskey 
>> >>>>> <>
>>wrote:
>> >>>>>
>> >>>>> Thank you again, Jim, for the feedback.  I made the suggested
>> >>>>> changes
>> >>>> detailed below.
>> >>>>>
>> >>>>> The survey is now ready to go to the community, pending any
>> >>>>> last-minute
>> >>>> changes that any of you think is needed.
>> >>>>>
>> >>>>> I will wait until tomorrow to send out the survey, so *please*
>> >>>>> take a look at it,
>> >>>> if you haven¹t already and let me know what you think.  The survey
>> >>>> will be sent under the auspices of this working group.
>> >>>>>
>> >>>>> Thank you all for your input!
>> >>>>>
>> >>>>>
>> >>>>>
>> >>>>> Changes made this morning (wording changes in bold ­ new versions
>> >> below):
>> >>>>>
>> >>>>> For non-subscribers:
>> >>>>> ³Do you have any questions about, comments on, or features desired
>> >>>>> in the
>> >>>> InCommon Certificate Service offering that could influence your
>> >>>> decision to subscribe in the future?²
>> >>>>>
>> >>>>> ³What is the most challenging part of certificate lifecycle
>> >>>>> management in
>> >>>> your experience with the InCommon Certificate Service? Please
>> >>>> choose your top three.²
>> >>>>>
>> >>>>> ³Federation/SSO for the Certificate Manager system (RAO/DRAO
>> access)²
>> >>>>>
>> >>>>> ³Federation/SSO for the Certificate Manager system for User
>> >>>>> Certificate self-
>> >>>> enrollment²
>> >>>>>
>> >>>>>
>> >>>>>
>> >>>>>
>> >>>>> From: Basney, Jim 
>> >>>>> [mailto:]
>> >>>>> Sent: Tuesday, November 17, 2015 3:53 PM
>> >>>>> To: Paul Caskey
>> >>>>> Cc: Ann West; 
>> >>>>> 
>> >>>>> Subject: Re: [CertSvc Review] feedback on survey
>> >>>>>
>> >>>>> Right, since the user details (name, email) are already in our
>> >>>>> SAML
>> >>>> assertions, no need to separately upload the user details to
>>Comodo.
>> >>>> Let the users log in directly via SAML to get their user certs
>> >>>> (i.e., like https://cilogon.org/ does). If you only want some users
>> >>>> to be able to get certs, then define an eduPersonEntitlement for
>> >>>> it. Using SAML authentication for certificate issuance rather than
>> >>>> email invitations significantly increases the level of assurance of
>> >>>> the certificate, I
>> >> think.
>> >>>>>
>> >>>>> On 11/17/15, 3:32 PM, Paul Caskey wrote:
>> >>>>> Hi Jim-
>> >>>>>
>> >>>>> Very good points on 1 and 2, but I need a little help
>> >>>>> understanding #3.  Are
>> >>>> you saying that end users could authenticate via fed/sso and
>> >>>> retrieve a cert?  In the current setup, the RAO would need to
>> >>>> enter/upload their user details first and send them an invitation.
>> >>>> We¹d need to discuss with Comodo how that might work, but I like
>> >>>> the idea.  Let me know if I am misunderstanding itŠ Otherwise,
>> >>>> we¹ll chat with Comodo about the idea on our next call (FWIW, I was
>> >>>> able to login to CCM Dev via
>> >> shib last week, so we¹re getting close.).
>> >>>>>
>> >>>>>
>> >>>>> Thanks much!
>> >>>>>
>> >>>>>
>> >>>>>
>> >>>>>
>> >>>>> From: Basney, Jim 
>> >>>>> [mailto:]
>> >>>>> Sent: Tuesday, November 17, 2015 3:26 PM
>> >>>>> To: Paul Caskey
>> >>>>> Cc: Ann West; 
>> >>>>> 
>> >>>>> Subject: Re: [CertSvc Review] feedback on survey
>> >>>>>
>> >>>>> Hi,
>> >>>>>
>> >>>>> I think the "Additional Questions - Not a Current Subscriber"
>> >>>>> option should
>> >>>> include an optional question asking, "Do you have any questions or
>> >>>> comments on the InCommon Certificate Service offering that could
>> >>>> influence your decision to subscribe in the future?" In other
>> >>>> words, it'd be good to find out why they are not subscribers and if
>> >>>> there's something InCommon could do to change their mind.
>> >>>>>
>> >>>>> For "What is the most challenging part of certificate lifecycle
>> >> management?"
>> >>>> I suggest adding "in your experience with the InCommon Cert
>>Service?"
>> >>>> In other words, we're not asking for a theoretical opinion about
>> >>>> certificate lifecycle management but rather for their experience of
>> >>>> the
>> >> InCommon Cert Service.
>> >>>>>
>> >>>>> Under potential enhancements we have "Federation/SSO for the
>> >>>>> Certificate
>> >>>> Manager system" but not "Federation/SSO for user self-enrollment".
>> >>>> I think the former is about RAOs and DRAOs logging in to the Cert
>> >>>> Manager for approving requests but the latter is about user's
>> >>>> logging in to get their certificates directly (i.e., like with
>> >>>> CILogon) to eliminate manual RAO/DRAO approval. I think TCS
>>supports
>> that now.
>> >>>>>
>> >>>>> Otherwise looks great!
>> >>>>>
>> >>>>> -Jim
>> >>>>>
>> >>>>> On 11/13/15, 4:30 PM, 
>> >>>>> 
>> >>>>>  on
>> >>>>> behalf of
>> >>>> Paul Caskey wrote:
>> >>>>> Hello Cert Service Review group-
>> >>>>>
>> >>>>> The initial feedback on the survey has been incorporated into
>> >>>>> survey
>> >> monkey.
>> >>>>>
>> >>>>> The survey is located here:
>> >>>>> https://www.surveymonkey.com/r/InCommon-
>> >>>> certs
>> >>>>>
>> >>>>> Please take a look at the survey and provide any additional
>> >>>>> feedback by the
>> >>>> end of the day this next Tuesday, 11/17.  Please check the
>> >>>> branching that has been put into the survey (mainly on the first
>>question).
>> >>>>>
>> >>>>> We¹ll incorporate any additional feedback we receive and hope to
>> >>>>> send it out
>> >>>> to the community on Wednesday.
>> >>>>>
>> >>>>> My apologies for the late notice.  Time is getting tight to get
>> >>>>> this done before
>> >>>> the holidays.
>> >>>>>
>> >>>>>
>> >>>>> Thank you all!
>> >>>
>> >