What is Re-Request?
User certificate requests can be placed in one of following terminal states (states where no further action is possible - except re-request)
Once the request reaches one of these states, user can either submit a new request by copying its information from the old request to the new request, or user can "Re-Request" in order to reset the request state to be "REQUESTED".
Re-Request will re-use the same GOC Ticket (which includes all past history of the certificate request), as well as any state transitions associated with the request.
Why do we need Re-Request?
Opening a new request with similar request details (such as an identical CN, for example) could lead to a confusion by various parties involved. For example, information necessary to approve a request may be contained in the old request which could slow down the request processing. RA could also accidentally update on the wrong ticket, or approve / disapprove a wrong request, or simply make a wrong decision due to fragmented details. Requests with identical CN also makes it difficult to search / identify the correct request records. It also creates various technical difficulties requiring OIM developer to implement extra validation / error handling.
Re-requesting also makes it easier for user with expired certificate to make a new request without having to enter contact information, RA/VO sponsor information, etc.
Nothing should prevent user from submitting a new request, however, we should encourage users to re-request if it makes sense to do so.
Anyone including guest can Re-Request user certificate requests that are in REJECTED / CANCELED / REVOKED / EXPIRED status.
If OIM user Re-Request
- Update the requester ID of the request to that of the current OIM user
- Reset the status to be "REQUESTED"
If a Guest Re-Request (*please see "Guest Re-Reuqest" for more detail)
- Allow guest user to reset retrieval password.
- Reset the status to be "REQUESTED".
Any changes to CLI regarding Re-Request has not been planned yet.
Ability for a guest to re-request is necessary to allow users who has expired their certificate to regain access to OIM. Guest user also needs to be able to re-request a certificate that are in REJECTED / CANCELED / REVOKED, since sometime user expires certificates while they are processing a request with non-OIM issued certificate (that we don't keep track of its expiration status). Once everyone transition to DigiCert, I believe we should only allow guest user to re-request if the request is in EXPIRED state.
When a guest user re-requests, OIM will assume that the original requester is making the request as a guest (maybe the user's certificate is expired / revoked / lost). OIM will prompt following to the user during the re-request
Then, OIM will make following update to the associated ticket
A guest user has re-requested this user certificate request. Please contact the original requester; <requester.name> and confirm authenticity of this re-request, and approve / disapprove at <request URL>
These changes are scheduled to be released to OIM-ITB for testing on 4/16 and released to production on 4/23.