InCommon Certificate Program Letters

Below are sample authorization letters for establishing chain of trust at your institution.

Letter to CIO to authorize campus administrators

Dear CIO,

The campus has registered with InCommon's Certificate Service, which will grant the university license to issue unlimited digital certificates via Comodo, a trusted commercial Certificate Authority. I'm writing to ask for your confirmation of the request by UC Berkeley's Identity and Access Management team members to administer the InCommon Certificate program for the campus.

We request that you authorize Identity and Access Team members to represent UC Berkeley's business requirements for digital certificates bearing the Berkeley.EDU name and to issue and renew digital certificates used for such purposes as securing web servers run on behalf of UC Berkeley. Such web servers present and certify to visitors that the name of the web server legitimately belongs to the Berkeley.EDU web domain.

Once approved, Identity and Access Management (IAM) team members will be granted Registration Authority Officer (RAO) access to the administrative tools Comodo provides as part of this service. Registration Authority Officers (RAO) can, in turn, delegate certificate administrative authority to Department Registration Authority Officers (DRAO). The IAM team is requesting your authorization to vet and approve Departmental Registration Authority Officers (DRAO).

Please respond to this message to indicate your approval. Let us know if you have any questions.

IAM Manager

Letter to campus management to authorize departmental administrators

Dear Department XYZ Manager,

UC Berkeley is participating in the InCommon Certificate program, which allows delegated administrators in campus departments to issue and renew digital certificates used for such purposes as securing web servers run on behalf of your department. Such web servers present and certify to visitors that the name of the web server legitimately belongs to the Berkeley.EDU web domain.

Through the InCommon Certificate program, UC Berkeley pays a site fee (sponsored by the OCIO and IST), and is then entitled to issue unlimited digital certificates through Comodo, a well-established commercial Certificate Authority.

More information about this program is available at:

http://www.incommonfederation.org/cert/

I'm writing to ask you to authorize staff from your department to represent your department's business requirements for digital certificates bearing the Berkeley.EDU name. The candidate(s) for this role will be authorized to issue and renew digital certificates issued as part of the InCommon certificate program.

Please reply with the name(s) of staff you would like to authorize (ideally this will be limited to 1-2 primary departmental administrators and appropriate back up).

Thanks,

Name
IST - Identity and Access Management Team

Letter to campus trademark office for permission to use trademarked name Berkeley.EDU

Dear OMBO,

I am writing to request permission for trained, trusted IST and
departmental delegates to assert the University's domain name,
"Berkeley.EDU" as part of signed SSL certificates issued as part
of a new digital certificate program managed by InCommon, the primary
identity federation for higher education in the United States.

Through the new InCommon Certificate program, UC Berkeley will pay a
site fee and then be entitled to issue unlimited digital certificates
through Comodo, a well-established Certificate Authority. UC Berkeley's
participation in this program is being sponsored by Shelton Waggener,
Chief Information Officer for the campus.

More information about this program is available at:

http://www.incommonfederation.org/cert/

As a Certificate Authority, Comodo serves as a trusted third party to
validate that a computer holding a certificate issued via the InCommon
Certificate program belongs to the organization listed in the
certificate. In this case, hostnames carrying the trademarked UC
Berkeley domain name "Berkeley.EDU" will be listed in these certificates.

This is an exciting program that will save many campus departments the
staff time and cost they currently incur when purchasing SSL certificates.

Please let us know if you have any objection to this use of the
"Berkeley.edu" trademark.

Thanks.

IAM Manager

Enrollment letter to Departmental Administrators

Dear Departmental Certificate Administrator,

You have been approved to serve as a Departmental Certificate Authority and to 
review and approve digital certificates for your department through the InCommon 
Certificate Service (http://www.incommonfederation.org/cert/). Please begin by 
sending us email to indicate the the department name you would like us to use and 
the DNS domains and hostnames for which you would like to be responsible for issuing 
certificates. It is possible to request additional domains via the InCommon Admin 
tools later, but the initial setup will be smoother if we provision most of these up front.

For example:

Department name: Housing, Business School, Law School, EECS, etc.

Requested DNS domains and hostnames: *.mysubdom.berkeley.edu, myhost1.berkeley.edu, 
*.mysubdom.1918.berkeley.edu, myshost2.1918.berkeley.edu, etc.

The wildcard names represent subdomains which you can claim as being responsible for 
the identity of all of the hosts.

The CalNet team will update the InCommon Certificate Service Manager (CSM) to add 
you as a "Departmental Registrant Authority Officer (DRAO)" and to enroll the appropriate 
subdomains and hosts for your department. You will administer certificates using the InCommon 
Certificate Service Manager (CSM). We have included some screen shots of the tool on the 
CalNet wiki at http://wikihub.berkeley.edu/x/I4A1Ag. You can also see more detailed online 
guides and demos at http://www.incommonfederation.org/cert/demos/.

You will need to attend an in-person training before we can approve your Departmental 
Certificate Administrator status. We will schedule trainings when we have a group of 
new administrators identified. In the meantime, you can continue to send certificate 
requests directly to calnet-pki@berkeley.edu.

Enjoy the InCommon Certificate Service.

IST - Identity and Access Management Team

Service Announcement Letter

Dear IT Managers and Staff,

UC Berkeley is now participating in the new InCommon Certificate
Service, which will entitle campus staff to unlimited SSL, personal
signing, encryption, and code signing PKI certificates.

More information about this program is available at:

http://www.incommonfederation.org/cert/

The OCIO and IST sponsor the campus site fee and ongoing support for
this program. The service will be managed by the IST - CalNet team
which manages Identity and Access Management services for the campus.

SSL certificates are available through this program now. For personal,
code signing, and encryption certificates, staff can continue to use the
CalNetPKI service managed by the IST Windows team (https://calnetpki.berkeley.edu)
until those services are available via the InCommon Certificate Service.

The new service allows for delegated administration of certificate
requests and approval. The CalNet team is currently recruiting
Departmental Certificate Administrators (DCAs), who will be required to
attend an in-person training and can then be authorized to issue
certificates for specified departmental subdomains/hosts.

DCAs must be nominated/approved by MSOs or equivalent management staff
in a department. If you would like to nominate DCAs for your
department, please send your nominations to calnet-pki@lists.berkeley.edu.

To request SSL certificates directly, please review instructions posted
in our FAQ at:

CalNet InCommon-Comodo Certificate Service

Please send questions, comments and certificate requests to
calnet-pki@lists.berkeley.edu.

IAM Manager