I’ve just had this from JANET:
“As a current member of our Server Certificate Service we would like to make you aware of some forthcoming changes to the service.
JANET(UK) has signed up to a new TERENA contract for server certificates to be provided by Comodo, which will go live before the end of this year, with notification of the exact date to be sent to all current registrants once confirmed. Our existing contract for server certificates issued by GlobalSign (through TERENA) will expire in January 2010. All existing customers of our Server Certificate Service will be invited to sign up for the new service in readiness for the system going live.
Once the new certificate service is in place and you have registered to use the service, your organisation’s authorised persons will be given access to an online account. A significant benefit will be the ability for customers to approve or deny their own certificates without the need to print, sign and return them individually to JANET(UK) for processing.
All aspects of validating individual certificate requests will be fully automated, thus improving the turnaround time for all certificate requests. Authorised persons will also be able to retrieve any / all certificates associated with their organisation and perform revocation functions directly. JANET(UK) will continue to absorb the cost of providing the certificates under this new system, so there will continue to be no onward charging to organisations.
Customers must be aware that under the present GlobalSign contract all current and valid certificates will be revoked by GlobalSign wef 9 April 2010, and not at the end of their natural lifespan. However we would like to assure you that we are still open for business and will continue to issue certificates, and are in the process of developing a transition plan to make the crossover to the new service as smooth and easy as possible for organisations.
If you should have any queries as a result of these changes please direct them to service@ja.net in the first instance.”
Not good. Comments welcome…
My response:
“Dear Janet,
This announcement has caused considerable concern in Oxford. We have hundreds of certificates under the current scheme.
Can you give an indication as to when we might be able to start using the new scheme? We’ll need as long as possible to re-issue all the certificates in the run up to 9th April. At the moment we have certificates that expire throughout the next three years so we have a steady stream of renewals to do. The new contract will mean we’ll have to re-issue them all by April 2010 and of course then we’ll have another spike in the run up to 2013. Not ideal.
I am rather surprised that the contract with Globalsign allows the certificates to be revoked at the end of the contract but accept that’s how it is. Will the new contract with Comodo have a similar clause? If it does, what guarantees will you have in place about business continuity? The University of Oxford is using the current certificates in many mission-critical applications so I would like to be able to give some reassurance to those service providers concerned and some indication as to whether they might be better off using a commercial provider if there is going to be a break in JANET service like this again.”
I’ve had a reply from JANET:
“Thank you for your e-mail and I have to say that we share your concern about the number of certificates that you have to transfer to the new system. We hope to be able to make life a little easier for you with the new system but realise that the timescales are not helpful.”
And clarification from Bob Day: “it wasn’t JANET’s contract, it was a contract between Globalsign and TERENA, under which we were able to acquire “free” certificates (not free, really, of course – it was a fixed price irrespective of the number ssupplied.) TERENA recently reprocured this and decided to switch to Comodo because the terms were better – in particular it gives a more scalable means of administering large numbers of certificates and therefore keeping costs down.”
[...] to the changes in the JANET SCS, then it could be worth hanging back on “go live” with your Shibboleth [...]
JANET have solved the problem of the mass expiry:
“We are pleased to be able to announce that all GlobalSign certificates, issued as part of the original JANET Server Certificate Service, will now continue to be valid for their stated lifespan. This means that organisations in possession of certificates, issued as part of this service, will not need to replace these certificates by April 2010. Certificate requests for the old service will not be accepted after 11th December 2009.”
Thank goodness for that!