Wednesday, December 23, 2009

ipsCA

It's Festivus. So let's air a grievance:

To all my fellow .edu's out there who're getting bit by the fact that ALL IPSCA CERTIFICATES EXPIRE FROM ANY BROWSER THAT ISN'T IE ON WINDOWS (not that I'm cranky about this, but it was a wonderful holiday gift from them), I have a few thoughts relating to the Mozilla bug 529286.

1. I know that between my time and my groups time we spent far more on our salaries dealing with just this problem alone than we saved by getting the "free" certs.

2. ipsCA did some MAJOR no-no's here. We were issued a certificate on December 10, 2009 on the SERVERDORES cert that expires on December 29, 2009. This is really, really bad. No customer should ever be put in this position.

3. If you have not purchased SSL certificates in some time (as was my case), you might be pleasantly surprised that the cost has come down dramatically (as I was) -- especially for wildcard certificates (eg. *.col.univ.edu). Especially for most .edu's out there, be careful about some CA's that want you to sign a contract/paper (which is typically something that can get one in trouble).

4. The fact that ipsCA has gotten themselves into this mess is not Mozilla's problem. We ultimately depend on the security provided by these certificates and this process. From my reading of the timeline, it is going to take many months and is most likely something that is going to be slowed down due to people wanting to ensure that ipsCA has taken steps not to repeat this problem.


The bottom line is, that we as customers of ipsCA we should never have been put in this position in the first place. ipsCA put us there, not Mozilla.


Time to limber up for my Feats of Strength.

1 comment:

Anonymous said...

Where did you find a timeline for Mozilla approving the Cert? Is there any official standing on how long something like this will take?