...
If a certificate has been in applied for more than a few hours, please contact support: https://sectigo.com/support-ticket/
Q: Why are there now also 'authentication' TCS certificates?
...
The CA/Browser forum industry standard body in 2023 introduced an assurance baseline as well as specific technical profiles for S/MIME certificates that affect the way we have deployed a joint-trust S/MIME and authentication client certificate profile for the 4th generation GEANT TCS. While the trust and assurance levels defined in these S/MIME Baseline Requirements are currently already met (or exceeded) by the GEANT TCS Personal CAs Certification practices, the technical profiles envisioned for S/MIME BR make it impossible to continue to use a single Issuing CA and publicly-trusted Root CA for both email-signing and client authentication personal certificates.
We have concluded that separating the email S/MIME use cases and the client authentication use cases is the best way forward. Client authentication will being serviced by an independent, community specific trust model (i.e., a private CA), and we will keep the publicly-trusted S/MIME CA service available for email signing and encryption use cases, which are also ubiquitous in the TCS community.
Both a public-trust service as well as a private-CA service will be operated in parallel, and both will be available to the entire TCS constituency based on the current assurance practices.
The details for the transition as well as additional background can be found in the "GEANT TCS Gen4 private CA extension" specification of July 12th, 2023.
Q: What happened to the list of profiles in the 'clientgeant' (SAML) portal?
As soon as practical, the '/clientgeant' SAML portal will add the two additional profiles: new profiles in addition to the current ones. So "GEANT Personal Authentication" (private trust individual client authentication) and "GEANT Personal Automated Authentication" (private trust agent authentication for personally-controlled agents) will be added to the list.
After August 28th, the old "GEANT IGTF MICS Personal" and "GEANT IGTF MICS Personal Robot" will be removed from the SAML portal. At the same time, the "GEANT Personal" profile (which will be renamed to "email signing and encryption") will become a public-trust S/MIME only email signing and encryption profile. This public S/MIME will use the sponsor-validated profile to insert the givenName and surname of the applicant alongside the organisation name.
Q: I have relying parties using client authentication for services (web site access, IdP login, eduroam, ...)
...
. Do they need to act?
Yes, relying parties using TCS Personal and eScience Personal certificates must act before August 28, 2023. There are a few scenarios:
...