Educause Security Discussion mailing list archives
Re: New Thawte Enterprise Certificate Center
From: Mark Borrie <mark.borrie () OTAGO AC NZ>
Date: Tue, 12 Jan 2010 14:20:22 +1300
I cant answer Gary's question but want to add something of our recent experience with the new Thawte service. The week before Xmas I needed to renew 3 certs. I had no units available so as I renewed the first one it promoted me to purchase a unit. I decided to purchase only one so that I could associate each purchase with a renewal. This turned out to be a bad plan. When I went to renew cert 2 and 3 they went straight through as the system thought I was in credit. I knew I wasn't so I went in and purchased a couple more units. We waited the stipulated 2 days for certs 2 and 3 to be processed (cert 1 came through almost immediately). Then I noticed that the the recently purchased units had been used but the certs were still pending. At this point I tried to communicate with Thawte. Unfortunately we are 10-11 hours different from South Africa and communication was very slow (Chat didn't work as they didn't seem to have anyone on and emails didn't get responded to until the next day). They denied I had made any additional purchases (I had the invoice on my desk at this stage) and so in desperation I purchased 2 more units as the certs had now expired. I was assured this would solve the problem. At this stage I was on leave until Monday this week. An email was sent to us on the 24th saying that the expired certs were about to be reissued. When I got back this week I discovered that the second set of units I had purchased had been deducted but the certs were still pending. At this point I had to give Thawte an ultimatum which finally got the problem resolved. During a phone conversation with someone from South Africa I pointed out that they might want to look at their processes only to be told this problem wouldn't happen if I was always in credit. Needless to say we are not impressed. I dont have an issue with teething problems but the almost total lack of support and ownership of the problem has us annoyed. We are well down the track of moving to another provider of certs and this incident has been the last nail in the coffin for these guys. Mark Gary Flynn wrote:
I have a question to those of you who have transitioned from Thawte's old SPKI center to the new enterprise certificate center. In the old system, our "technical officers" could see all certs so they could back each other up in renewing certs when people were on vacation, out sick, etc. In the new system, "subscribers" can only see certs they requested. So other "subscribers" can no longer back them up. Thawte's suggested solution was to promote all the subscribers to administrators/security officers which subverts the request/approval mechanism as they'd be able to approve their own (and others') cert requests. I do not want to do that. The only other option that comes to mind would be to use shared accounts and passwords for the subscriber accounts which I'm philosophically opposed to. How would I know who was actually requesting a cert or renewal if the request comes from a shared account? Have you figured out a way to allow your subscribers to back each other up? Gary Flynn Security Engineer James Madison University
-- Mark Borrie Information Security Manager, Information Technology Services, University of Otago, Dunedin, N.Z. Ph +64 3 479-8395, Fax +64 3 479-5080
Current thread:
- New Thawte Enterprise Certificate Center Gary Flynn (Jan 11)
- <Possible follow-ups>
- Re: New Thawte Enterprise Certificate Center Mark Borrie (Jan 11)
- Re: New Thawte Enterprise Certificate Center Laurie Zirkle (Jan 12)
- Re: New Thawte Enterprise Certificate Center Russell Fulton (Jan 12)
- Re: New Thawte Enterprise Certificate Center Sauvigne, Craig M (Jan 13)