Effective today, the cap on the number of valid client (personal) certificates per unique email address has been eliminated for all subscribers to the InCommon Certificate Service.
Since the deployment of client certificates, community discussions have identified some scenarios where having three or more client certificates per email address might be useful. InCommon and our partner, Comodo, agreed and have made available unlimited client certificates per email address.
Normally, most certificate authorities will only allow you to have one valid client certificate per unique email address.
Previously, the InCommon Certificate Service has allowed subscribers to receive up to two certificates per unique email address. This flexibility has made it possible for sites to issue an escrowed encryption key, while also issuing the user a non-escrowed and non-repudiable digital signing key, as required by state law in some jurisdictions. Under this old scenario, however, an attempt to request a third certificate for that same email address would be denied.
A few anticipated questions are addressed below. If you have other questions, please email admin@incommon.org.
The InCommon Certificate Service provides unlimited SSL, personal signing (e.g. client), extended validation, encryption, and code signing certificates for one annual fee. This includes certificates for all domains owned by an institution of higher education. (www.incommon.org/cert)
FAQ:
Q. Why did you make this change for all users of the InCommon Certificate Service, rather than just the particular sites that might need this change?
A. Whatever setting we pick for this applies to all participants. Picking an unlimited number of client certificates per unique email address is an option that will provide flexibility for all potential client certificate usage scenarios.
Q. Will I need to do anything for my school to be able to issue three or more client certificates per unique email address?
A. No, this change will be transparently made for all InCommon Certificate Service subscribers.
Q. We're using client certificates from InCommon, but currently only issue one or two client client certificates per unique email address. Do we need to do anything?
A. No.
Q. We subscribe to the InCommon Certificate Service, but we don't use client certs. Will this change affect us in any way? Do we need to do anything?
A. No, you won't be affected and you shouldn't need to do anything.