I think you are correct. I and another library went and got a re-issued cert from ipsCA, stuck it in ezproxy, and found that Firefox as well as opera gave a security warning. (Actually, Opera never did work with the old ipsCA cert either.)
There is also correspondence between Mozilla and ipsCA, culminating in a note that Mozilla won't be activating the ipsCA cert, since they are past the deadline.
I was interested from the language that there seemed to be a way of activating certs rather than just putting them in there; perhaps you are seeing "inactive" certs from ipsCA?
-----Original Message-----
From: Code for Libraries [mailto:[log in to unmask]] On Behalf Of Godmar Back
Sent: Monday, January 04, 2010 2:52 PM
To: [log in to unmask]
Subject: Re: [CODE4LIB] ipsCA Certs
Hi,
in my role as unpaid tech advisor for our local library, may I ask a
question about the ipsCA issue?
Is my understanding correct that ipsCA currently reissues certificates [1]
signed with a root CA that is not yet in Mozilla products, due to IPS's
delaying the necessary vetting process [2]? In other words, Mozilla users
would see security warnings even if a reissued certificate was used?
The reason I'm confused is that I, like David, saw a number of still valid
certificates from "IPS Internet publishing Services s.l." already shipping
with Firefox, alongside the now-expired certificate. But I suppose those
certificates are for something else and the reissued certificates won't be
signed using them?
Thanks,
- Godmar
[2] https://bugzilla.mozilla.org/show_bug.cgi?id=529286
[1] http://certs.ipsca.com/Support/hierarchy-ipsca.asp
On Thu, Dec 17, 2009 at 4:02 PM, John Wynstra <[log in to unmask]> wrote:
> Out of curiosity, did anyone else using ipsCA certs receive notification
> that due to the coming expiration of their root CA (December 29,2009), they
> would need a reissued cert under a new root CA?
>
> I am uncertain as to how this new Root CA will become a part of the
> browsers trusted roots without some type of user action including a software
> upgrade, but the following library website instructions lead me to believe
> that this is not going to be smooth. http://bit.ly/53Npel
>
> We are just about to go live with EZProxy in January with an ipsCA cert
> issued a few months ago, and I am not about to do that if I have serious
> browser support issue.
>
>
> --
> <><><><><><><><><><><><><><><><><><><>
> John Wynstra
> Library Information Systems Specialist
> Rod Library
> University of Northern Iowa
> Cedar Falls, IA 50613
> [log in to unmask]
> (319)273-6399
> <><><><><><><><><><><><><><><><><><><>
>
|