The InCommon Certificate program relies on a chain of trust, from the Comodo, the root Certificate Authority, through InCommon, participating institutions, and the departmental staff who actually issue the certificates. Maintaining a reliable chain of trust requires validating as each level people administering the program have the authority to verify that any given host legitimately belongs to the organization asserted in a digital certificate.
At UC Berkeley, we sought various approvals to ensure that a chain of trust was verified for our institution to the best of our ability. The section below describes that chain of trust and provides links to approval requests we sent to our campus leadership.
1. InCommon approval for UC Berkeley and the Office of the CIO
InCommon sent email to the "whois" address on record for our campus domain, Berkeley.edu requesting confirmation that our CIO was authorized to approve the creation of accounts with InCommon for individuals who would be able to order SSL and user PKI certificates through InCommon's Certificate site license program.
2. Office of the CIO to CalNet (the campus Identity and Access Management team)
Our CIO authorized the CalNet team to manage the certificate program and issue certificates within the Berkeley.edu domain.
Sample CIO to campus administrator approval letter
3. The CalNet team to departmental staff
The CalNet team contacted high-level management staff from campus departments asking them to nominate and approve delegated departmental administrators for the certificate program.
Sample letter to authorize departmental administrators
4. Trademark approval
The CalNet team also requested formal approval from the campus' trademark office to assert Berkeley's trademarked name in digital certificates issued via the InCommon program.
Sample letter to campus trademark office