Re: New Thawte Enterprise Certificate Center

[Mark Borrie <mark.borrie () OTAGO AC NZ>]

I cant answer Gary's question but want to add something of our recent
experience with the new Thawte service.

The week before Xmas I needed to renew 3 certs. I had no units available
so as I renewed the first one it promoted me to purchase a unit. I
decided to purchase only one so that I could associate each purchase
with a renewal. This turned out to be a bad plan.

When I went to renew cert 2 and 3 they went straight through as the
system thought I was in credit. I knew I wasn't so I went in and
purchased a couple more units.

We waited the stipulated 2 days for certs 2 and 3 to be processed (cert
1 came through almost immediately). Then I noticed that the the recently
purchased units had been used but the certs were still pending. At this
point I tried to communicate with Thawte. Unfortunately we are 10-11
hours different from South Africa and communication was very slow (Chat
didn't work as they didn't seem to have anyone on and emails didn't get
responded to until the next day). They denied I had made any additional
purchases (I had the invoice on my desk at this stage) and so in
desperation I purchased 2 more units as the certs had now expired.

I was assured this would solve the problem. At this stage I was on leave
until Monday this week. An email was sent to us on the 24th saying that
the expired certs were about to be reissued. When I got back this week I
discovered that the second set of units I had purchased had been
deducted but the certs were still pending.

At this point I had to give Thawte an ultimatum which finally got the
problem resolved. During a phone conversation with someone from South
Africa I pointed out that they might want to look at their processes
only to be told this problem wouldn't happen if I was always in credit.

Needless to say we are not impressed. I dont have an issue with teething
problems but the almost total lack of support and ownership of the
problem has us annoyed. We are well down the track of moving to another
provider of certs and this incident has been the last nail in the coffin
for these guys.

Mark

Gary Flynn wrote:
> I have a question to those of you who have transitioned from Thawte's old
> SPKI center to the new
> enterprise certificate center.
>
> In the old system, our "technical officers" could see all certs so they
> could back each other
> up in renewing certs when people were on vacation, out sick, etc. In the new
> system, "subscribers"
> can only see certs they requested. So other "subscribers" can no longer back
> them up. Thawte's
> suggested solution was to promote all the subscribers to
> administrators/security officers which
> subverts the request/approval mechanism as they'd be able to approve their
> own (and others') cert
> requests. I do not want to do that. The only other option that comes to mind
> would be to use
> shared accounts and passwords for the subscriber accounts which I'm
> philosophically opposed to.
> How would I know who was actually requesting a cert or renewal if the
> request comes from a
> shared account?
>
> Have you figured out a way to allow your subscribers to back each other up?
>
> Gary Flynn
> Security Engineer
> James Madison University

--
Mark Borrie
Information Security Manager,
Information Technology Services, University of Otago,
Dunedin, N.Z.
Ph +64 3 479-8395, Fax +64 3 479-5080