...
If a certificate has been in applied for more than a few hours, please contact support: https://sectigo.com/support-ticket/
Q: Why are there now also 'authentication' TCS certificates? What happened to the choices in the 'clientgeant' portal?
The CA/Browser forum industry standard body in 2023 introduced an assurance baseline as well as specific technical profiles for S/MIME certificates that affect the way we have deployed a joint-trust S/MIME and authentication client certificate profile for the 4th generation GEANT TCS. While the trust and assurance levels defined in these S/MIME Baseline Requirements are currently already met (or exceeded) by the GEANT TCS Personal CAs Certification practices, the technical profiles envisioned for S/MIME BR make it impossible to continue to use a single Issuing CA and publicly-trusted Root CA for both email-signing and client authentication personal certificates.
We have concluded that separating the email S/MIME use cases and the client authentication use cases is the best way forward. Client authentication will being serviced by an independent, community specific trust model (i.e., a private CA), and we will keep the publicly-trusted S/MIME CA service available for email signing and encryption use cases, which are also ubiquitous in the TCS community. Both a public-trust service as well as a private-CA service will be operated in parallel, and both will be available to the entire TCS constituency based on the current assurance practices.
The details for the transition as well as additional background can be found in the "GEANT TCS Gen4 private CA extension" specification of July 12th, 2023.
As soon as practical, the /clientgeant SAML portal will add two additional profiles: "GEANT Personal Authentication" (private trust individual client authentication) and "GEANT Personal Automated Authentication" (private trust agent authentication for personally-controlled agents).
After August 28th, the "GEANT IGTF MICS Personal" and "GEANT IGTF MICS Personal Robot" will be removed from the SAML portal. At the same time, the "GEANT Personal" profile will become a public-trust S/MIME only email signing and encryption profile. This public S/MIME will use the sponsor-validated profile to insert the givenName and surname of the applicant alongside the organisation name.
Q: I have relying parties using client authentication for services (web site access, IdP login, eduroam, ...) - do I need to act?
Yes, relying parties using TCS Personal and eScience Personal certificates must act before August 28, 2023. There are a few scenarios:
- the service uses GEANT eScience Personal (uniquely-named) client certificates: install the new "Research and Education Trust" certificates, and - depending on the client application - also the "GEANT TCS Authentication RSA/ECC CA 4B". These can be found in the TCS Repository. All relevant certificates are also distributed by the IGTF in distribution versions 1.122 and above (ECC variants in version 1.123). The subject naming of the end-users will remain the same.
After August 28th, applicants will no longer be able to request eScience Personal certificates from the joint-trust eScience Personal (ECC) CA 4. This option will be removed from the clientgeant portal. Already issued certificates will remain valid for their entire stated period. - the service uses GEANT Personal (common-name only) client certificates: review your use case carefully. If authentication relies on the subject name in the certificate, note that - even today! - this name is not guaranteed to be unique. There may be multiple users that end up getting the same subject name! You are urgently encouraged to change to the new "Research and Education Trust" and the "GEANT TCS Authentication RSA/ECC CA 4B".
Even if you decide to stay with the current GEANT Personal CA 4 S/MIME email certificates, beware that the subject name format will change: it may no longer contain a commonName, will include givenName and sn attributes, and may include other RDN components not currently present in the name format. - the service uses GEANT eScience Personal Robots for role-based authentication (e.g. monitoring agents, data movement agents, &c): install the new "Research and Education Trust" certificates, and - depending on the client application - also the "GEANT TCS Authentication RSA/ECC CA 4B". Through the SCM invite process, you will request a "GEANT Organisation Automated Authentication" certificate for these subscribers.
- the service uses GEANT eScience Personal Robots for sending emails (re-signing mail list servers, automated mailing by roles such as security teams sending user notices, &c): for these applications you need public S/MIME trust. This means continuing to use the GEANT Personal CA 4, but in SCM request "GEANT Organisation email signing"
Note that the "GEANT IGTF Robot Email" profile is thus split by purpose: there are two new profiles, one private trust for authentication, one public trust for organisation-validated S/MIME!
Q: does my organisation need to be re-validated to issue S/MIME certificates after August 28th, 2023?
Yes, due to slight difference