Skip to end of metadata
Go to start of metadata
Icon

The bulk of re-request capability has already been implemented and it simply needs to be completed. The purpose of this change document is to finalize the detail of re-request capability. 

What is Re-Request?

User certificate requests can be placed in one of following terminal states (states where no further action is possible - except re-request)

  • REJECTED
  • CANCELED
  • REVOKED
  • EXPIRED

Once the request reaches one of these states, user can either submit a new request by copying its information from the old request to the new request, or user can "Re-Request" in order to reset the request state to be  "REQUESTED". 

Re-Request will re-use the same GOC Ticket (which includes all past history of the certificate request), as well as any state transitions associated with the request.

Why do we need Re-Request?

Opening a new request with similar request details (such as an identical CN, for example) could lead to a confusion by various parties involved. For example, information necessary to approve a request may be contained in the old request which could slow down the request processing. RA could also accidentally update on the wrong ticket, or approve / disapprove a wrong request, or simply make a wrong decision due to fragmented details. Requests with identical CN also makes it difficult to search / identify the correct request records. It also creates various technical difficulties requiring OIM developer to implement extra validation / error handling.

Re-requesting also makes it easier for user with expired certificate to make a new request without having to enter contact information, RA/VO sponsor information, etc.

Nothing should prevent user from submitting a new request, however, we should encourage users to re-request if it makes sense to do so.

Details

Anyone including guest can Re-Request user certificate requests that are in REJECTED / CANCELED / REVOKED / EXPIRED status. 

If OIM user Re-Request

  • Update the requester ID of the request to that of the current OIM user
  • Reset the status to be "REQUESTED"

If a Guest Re-Request (*please see "Guest Re-Reuqest" for more detail)

  • Allow guest user to reset retrieval password.
  • Reset the status to be "REQUESTED".

Any changes to CLI regarding Re-Request has not been planned yet.

 

Guest Re-Request

Ability for a guest to re-request is necessary to allow users who has expired their certificate to regain access to OIM. Guest user also needs to be able to re-request a certificate that are in REJECTED / CANCELED / REVOKED, since sometime user expires certificates while they are processing a request with non-OIM issued certificate (that we don't keep track of its expiration status). Once everyone transition to DigiCert, I believe we should only allow guest user to re-request if the request is in EXPIRED state.

When a guest user re-requests, OIM will assume that the original requester is making the request as a guest (maybe the user's certificate is expired / revoked / lost). OIM will prompt following to the user during the re-request

Then, OIM will make following update to the associated ticket 

Dear RA,

A guest user has re-requested this user certificate request. Please contact the original requester; <requester.name> and confirm authenticity of this re-request, and approve / disapprove at <request URL>

Timeline

These changes are scheduled to be released to OIM-ITB for testing on 4/16 and released to production on 4/23.

 

 

  • No labels