Blog

By Paul Caskey

Last month we asked the InCommon community to provide feedback on the InCommon Certificate Service in the form of an online survey. We use the feedback to develop work plans for the service for the coming year. This is a quick update on where we’re at with that process.

We're very pleased that we received 164 responses to the survey. With 424 subscribers, that represents an approximately 30% response. This feedback is a critical component to the InCommon Certificate Service. This community-defined service couldn’t be operated successfully without your feedback, so thank you!

We’ll provide detailed results soon, but for now, here are a few quick takeaways from the results:

  • In general, folks are satisfied with the service (86% positive).


  • We see very strong demand for the service to support the ACME protocol.
  • There are a significant number of institutions who said they have MFA capabilities (81%), yet, of those, we were surprised at the lack of integration with the institutional IdP/SSO service (60%).
  • We found it interesting that SSO for CCM was listed in the top 4 issues of both the high and medium priority items of potential value to the cert service, yet SSO for CCM has been available in production for several months!


  • We thought it interesting that there were a couple of comments on price being an issue. Perhaps we should explore alternative consumption models?
  • DCV is widely regarded as a significant challenge in using the service.
  • The EV certificate process was also frequently listed as a challenge. Last year, Comodo attempted to ease this process with the implementation of 'anchor certificates'. Perhaps more is needed.
  • There were several good ideas for webinars/training mentioned in the comments and we’re working with Comodo to deliver that.


As you can see, we have some things to work on in the coming year to ensure that the InCommon Certificate Service continues to provide a significant value.  And, as we said, it would not be possible to deliver that value were it not for you, our tremendous community.

So, thanks again for providing feedback in this year’s survey and thank you for subscribing to the InCommon Certificate Service. As always, please let us know what else we can do to increase the value your institution receives from the service.

The InCommon Certificate Services and nine university subscribers have successfully completed a pilot, testing the use of single sign-on (SSO) and multifactor authentication (MFA) to log in to the Comodo Certificate Manager. This long-requested feature is now available for any Certificate Service subscriber that also operates an Identity Provider in the InCommon Federation.

Rather than use credentials provided by Comodo, those who administer certificates on campus (both RAOs, or Registration Authority Officers as well as DRAOs, or Departmental Registration Authority Officers) will use their InCommon federated credentials for single sign-on. In addition, RAOs will leverage their local multifactor authentication process to secure their logins.

The benefits of this approach include:

  • The InCommon Certificate service is used by organizations as their basis of internal and external trust. Protecting access with MFA reduces the likelihood of stolen credentials
  •  MFA-protected SSO increases security by leveraging protected campus credentials that RAOs already use in their local context to access higher security services

This security enhancement leverages the REFEDS Multi-Factor Authentication Profile that allows service providers to signal the need for, and Identity Providers to signal the use of, multifactor authentication. Use of the REFEDS profile makes for seamless communications between the IdP and SP. The profile is maintained by the international Research and Education Federations (REFEDS) organization comprised of almost 50 national federations (including InCommon).

 

 

 

A pilot involving several InCommon Certificate Service subscribers continues, testing the use of single sign-on (SSO) and multifactor authentication (MFA) to log in to the Comodo Certificate Manager. This is a feature that has long been requested and was one of the top most-desired items on the survey conducted last year.

Rather than use credentials provided by Comodo, those who administer certificates on campus (both RAOs, or Registration Authority Officers as well as DRAOs, or Departmental Registration Authority Officers) will use their InCommon federated credentials for single sign-on. In addition, RAOs will leverage their local multifactor authentication process to secure their logins. The benefits of this approach include:

  • The InCommon Certificate service is used by organizations as their basis of internal and external trust. Protecting access with MFA reduces the likelihood of stolen credentials.

  • MFA-protected SSO increases security by leveraging protected campus credentials that RAOs already use in their local context to access higher security services.

This security enhancement will leverage the REFEDS Multi-Factor Authentication Profile that allows service providers to signal the need for, and Identity providers to signal the use of, multifactor authentication. The profile is maintained by the international Research and Education Federations (REFEDS) organization comprised of more than 40 national federations (including InCommon).

In response to requests from the InCommon community, we are pleased to announce that Comodo has contracted with a new status service to provide the current state of the Comodo Certificate Manager system and accompanying notices of scheduled maintenance.

Status and maintenance alerts are currently posted to the cert-users@incommon.org list. To streamline things for Comodo, and to free the InCommon cert-users list of these updates, as of June 1, 2017, Comodo will no longer post system status and maintenance updates to the cert-users list. However, the new email list, maintained by the status.io service, requires a manual opt in. Everyone is encouraged to visit the new Comodo CM status page for updates, and to subscribe to these alerts, which will be generated by the status service and emailed to you.

This will also allow us to return the cert-users list to its original intent to serve as a discussion list for the InCommon Certificate Service subscriber community.

Through June 1, 2017, Comodo will publish status and maintenance alerts through the new status service and also to the cert-users page. After June 1, these alerts will no longer appear here on the cert-users list. Why wait? Head over to Comodo’s page now and sign yourself up for the alerts.  The new service is available now.  You can sign up to the list by clicking the “SUBSCRIBE” button in the top right of the status page.