I also believe that managing certs as one more thing in our electronic resource management process is going to be burdensome. You’re kind of convincing me Mike, that perhaps it IS doable, but already we’re adding e resources to multiple systems and this is one more thing that we’d have to do on a fairly routine basis (and then wouldn’t we be worrying about when multiple certs expire, etc.). I also think of those institutions that are subscribing to hundreds of resources, wouldn’t managing all those certs be a problem?
I still think it’s worth testing the proof of concept though and am interested to hear what comes of this, Mike.
Something that I also see implied here is why aren’t vendors doing a better job collaborating with the developers of EZProxy, instead of only putting the pressure on Let’s Encrypt to support wildcard certs (although I kind of think that’s the better way to go).
John Spoor Broome Library
California State University, Channel Islands
[Description: Description: CI Formal Logo_1B grad_em signature]
From: [log in to unmask] [mailto:[log in to unmask]] On Behalf Of Michael C Robinson
Sent: Friday, January 15, 2016 10:08 AM
To: [log in to unmask]; Code for Libraries
Subject: Re: [patronprivacy] Let's Encrypt and EZProxy
The ability to have many domain names on a single Let's Encrypt certificate should work well as a stop gap until wildcard certificates are available. Our mid-size university library subscribes to a number of resources which probably represents a couple of hundred domain names that need to be proxied. We don't subscribe to that many databases but one of the publishers uses separate domain names for each journal, i.e. somejournal.somevendor.com.
If the LE tool allows you to add a domain name to existing certificate or batch add domain names from a file that can be maintained, it would not be too hard to provision this way.
Also, not all vendors will make https available right away so ramp up would be slow.
I will try to spin up a test instance of ezproxy in next couple of weeks and install certificates via LE and report back on this thread.
Long term, I would still make the pitch to Lets Encrypt to make wildcard available at some point, its just more elegant and straight forward, it would eliminate a step of having to issue/modify certificate when adding a new resource to the proxy.
From: [log in to unmask]<mailto:[log in to unmask]> <[log in to unmask]<mailto:[log in to unmask]>> on behalf of Eric Hellman <[log in to unmask]<mailto:[log in to unmask]>>
Sent: Thursday, January 14, 2016 10:20 AM
To: [log in to unmask]<mailto:[log in to unmask]>; Code for Libraries
Subject: [patronprivacy] Let's Encrypt and EZProxy
A while back, the issue of needing a wildcard certificate (not supported by Lets Encrypt) for EZProxy was discussed.
In my discussions with publishers about switching to HTTPS, EZProxy compatibility has been the most frequently mentioned stumbling block preventing a complete switch to HTTPS for some HTTPS-ready publishers. In two cases that I know of, a publisher which has been HTTPS-only was asked by a library customer to provide insecure service (oh the horror!) for this reason.
It's been pointed out to me that while Lets Encrypt is not supporting wildcard certificates, up to 100 hostnames can be supported on a single LE certificate. A further limit on certificates issued per week per domain would mean that up to 500 hostnames can be registered with LE in a week.
Are there EZProxy instances out there that need more than 500 hostnames, assuming that all services are switched to HTTPS?
Also, I blogged my experience talking to people about privacy at #ALAMW16.
President, Free Ebook Foundation
Founder, Unglue.it<http://Unglue.it> https://unglue.it/