[CODE4LIB] Fwd: [arclight-community] ArcLight MVP work cycle completed (links to final demo video)

[Mark A. Matienzo]

Dear colleagues,



Please join me in extending congratulations to the ArcLight MVP project
team. We have completed our eight-week work cycle to develop a minimum
viable product to support discovery and delivery of archival materials
using Blacklight, and have released ArcLight 0.1.1.



Our final, full demo video (~30 minutes) can be seen here:
https://www.youtube.com/watch?v=IdNjEMOotRw



Our wind-down deck can be viewed here: https://docs.google.com/
presentation/d/1hqPn49-k4Q-8yiGRec09--LJ2OHoKbzUvba__2QNxwA/edit



The code for ArcLight, as well as documentation on how to get started can
be found on GitHub: https://github.com/sul-dlss/arclight


Please join me in extending thanks to each of the team members:

· Product owner: Mark Matienzo (Stanford)
· Tech Lead: Jessie Keck (Stanford)
· Developers: Darren Hardy (Stanford), Jessie Keck (Stanford),
Gordon Leacock (University of Michigan), Jack Reed (Stanford), Camille
Villa (Stanford)
· UX Designers: Gary Geisler (Stanford), Jennifer Vine (Stanford)
· DevOps Liaison: Erin Fahy (Stanford)
· Management Liaisons: Tom Cramer (Stanford, DLSS Direct rep);
Nabeela Jaffer (University of Michigan)

In addition, please extend your gratitude to our great stakeholder team for
their participation in the work cycle:

· Stanford University: Frank Ferko (Archive of Recorded Sound),
Charles Fosselman (East Asia Library), Jenny Johnson (University Archives),
Michelle Paquette (Special Collections), Sarah Patton (Hoover Institution
Archives), Stu Snydman (DLSS), Laura Wilsey (DLSS)
· University of Michigan: Tom Burton-West (Digital Library Platform
and Services), Max Eckard (Bentley Historical Library), Roger Espinosa
(Digital Library Platform and Services), Dallas Pillen (Bentley Historical
Library), Chris Powell (Digital Library Platform and Services), Mike
Shallcross (Bentley Historical Library)
· Georgia Tech Library: Wendy Hagenmaier
· National Library of Medicine: John Rees
· Rockefeller Archives Center: Hillel Arnold, Patrick Galligan,
Bonnie Gordon

High-level features completed this sprint include:



· Repositories and collections navigation
· Searching: keyword and fielded searches; autocomplete; hit
highlighting; facets; sorting; pagination
· Default and compact search results
· Collection-level and component-level detail views
· Digital object linking and embedding using oEmbed and
configurable viewers
· Request management proof of concept integration


Future areas of work include:


· Accessibility testing and user testing, and subsequent
improvements
· Further testing of indexing by the community
· Full evaluation and refactoring of the indexing code
· Determining integration requirements for indexing directly from
ArchivesSpace
· In-depth integration of request management systems (e.g. SUL
Requests and Aeon)
· A plan for Stanford-specific rollout and integration



We encourage you to continue testing ArcLight, either in a local install or
using the demo site (https://arclight-demo.projectblacklight.org/), and to
ask us questions or report any bugs as they arise. We appreciate any and
all feedback you might have on the work we’ve completed during this work
cycle as it will inform the future direction of our work on ArcLight.



Best,

Mark



*Mark A. MATIENZO* | matie...@stanford.edu
Collaboration & Interoperability Architect

Digital Library Systems and Services, Stanford University Libraries

m: +1 (650) 683-5769 <(650)%20683-5769>

*https://library.stanford.edu/people/matienzo
 *

Re: [CODE4LIB] [lita-l] Public institutions using Let's Encrypt for security certificates?

[Kyle Banerjee]

>
> I am not sure what Kyle means by "encryption hides attacks".


Interfaces designed for humans are frequent targets for attack. Network
monitoring tools are incredibly helpful for identifying compromised
machines, bots, and humans trying to bust in. So yes, encryption does hide
attack activity just as it hides everything else. There are other
legitimate reasons to monitor traffic such as to debug problems.

Encryption is a powerful and useful tool. But I wouldn't want to exaggerate
its effectiveness in protecting privacy nor ignore costs or consequences of
implementation. My guess is the vast majority of people on this list have
been hosed at some point by a technical decision made upstream from their
workflow that was based on what "everyone" needed or didn't.

kyle

Re: [CODE4LIB] [lita-l] Public institutions using Let's Encrypt for security certificates?

[Jonathan Rochkind]

PS: If one single server (or group of identical servers, horizontally
scaled) needs to respond to multiple hostnames, I would use a single SAN
cert with multiple hostnames.

If multiple entirely different servers just happen to be different *.
university.edu -- I would not use a SAN cert or a wildcard cert, I would
give them each their own separate cert.  This is, IMO, more
contemporary/"correct" operations -- one cert per server build, not one
cert per organization.

The reasons people used one cert per organization were mainly about cost
(of providers that charge you per cert), or with management difficulties,
both things letsencrypt is specifically meant to deal with to make one cert
per build possible. The advantages of one cert per build are security
partitioning, one machine being compromised has not compromised the SSL
certs for your entire organization.

On Mon, Jun 19, 2017 at 3:00 PM, Jonathan Rochkind 
wrote:

> There's no reason you _need_ to use a wildcard cert for many hosts. You
> can use a separate cert for each. The reason people prefer a wildcard cert
> is because it was a pain to _get_ and keep track of all those certs.
>
> letsencrypt archicture encourages you to just do that. The certs are
> automatically obtained and automatically renewed, there's no reason you
> need the same cert accross multiple hosts, each host gets it's own cert.
> (Which also means if one of them gets compromised, and you need to revoke a
> cert, you just need to revoke one host's cert, not a wildcard cert applying
> to all of them).  (And yes, automatic renewals are not hard with
> letsencrypt, it's specifically intended you do automated renewals, there
> are a variety of software and scripts for different environments to do it).
>
> I don't see anything wrong with that, really.
>
> There are cases where you really do need a wildcard cert -- an app which
> has _dynamic_ hostnames, like a hostname for each user account (eg
> jrochkind.github.io).  letsencrypt isn't going to work there, you really
> do need a wildcard cert.
>
> But just for a lot of hosts on the same TLD? They don't need a wildcard
> cert, and there are reasons to prefer them _not_ having a single wildcard
> cert (the revocation case, especially if they are all administered by
> different units), they can each just have their own cert.
>
> I am not sure what Kyle means by "encryption hides attacks".  Personally,
> I think SSL encryption is a requirement for contemporary professionally
> managed websites.  But the question of whether to use https or not at all
> --  is really a separate issue than whether to use letsencrypt/acme for
> your SSL certs.  If you decide you don't want/need https/SSL encryption at
> all, then you don't need to consider letsencrypt as opposed to a more
> manual cert provider at all. :)
>
> I don't see any real reason letsencrypt would not be viable for a library.
> You do need to have enough sysadmin ability to set up the automatic
> renewals, and understand what's going on, yes, that could be a barrier I
> suppose.  The main potential barrier I see is letsencrypt rate limits on
> hosts-per-tld, for an academic institution that is going to have
> hundreds/thousands of hosts within the TLD (*.university.edu). It seems
> they will exempt a university from these rate limits with an email request.
>
>
> I feel like there's a lot of FUD about letsencypt going around for some
> reason.
>
> I believe there are lots of all letsencrypt certs granted somewhere, it
> might be possible to find those and look for *.edu's to find peer
> institutions.
>
> Jonathan
>
>
>
> On Mon, Jun 19, 2017 at 2:00 PM, Kyle Banerjee 
> wrote:
>
>> I almost wrote it wouldn't work, but what works always depends on the
>> particulars of your situation. For example, depending on how many domains
>> you need and what mechanisms you're using, you might be able to use
>> Subject
>> Alternative Name (SAN) certificates to mitigate the lack of a wildcard
>> certificate. Another thing I was thinking about as I wrote that is that a
>> growing number of libraries provision resources with vendors such as
>> Amazon
>> -- for that, you'll need the cooperation of your institution.
>>
>> Automating renewal is a good practice. Remember when when the doi.org
>> cert
>> expired a few years back? Wasn't pretty and could have worked out much
>> worse had the domain squatters been on the ball. It's not hard to
>> automate,
>> and instructions are easy enough to find. Even when squatters aren't an
>> issue, expired certs cause all kinds of scary warnings.
>>
>> One of the big problems libraries face is that a lot of free stuff is not
>> viable for many libraries that need help the most. The whole problem is
>> these institutions often lack both staff and technical resources. And even
>> if they do have someone with the requisite skills to build great stuff out
>> of virtually nothing, they risk serious problems when that person leaves
>> and they can't replace them with some

Re: [CODE4LIB] [lita-l] Public institutions using Let's Encrypt for security certificates?

[Jonathan Rochkind]

There's no reason you _need_ to use a wildcard cert for many hosts. You can
use a separate cert for each. The reason people prefer a wildcard cert is
because it was a pain to _get_ and keep track of all those certs.

letsencrypt archicture encourages you to just do that. The certs are
automatically obtained and automatically renewed, there's no reason you
need the same cert accross multiple hosts, each host gets it's own cert.
(Which also means if one of them gets compromised, and you need to revoke a
cert, you just need to revoke one host's cert, not a wildcard cert applying
to all of them).  (And yes, automatic renewals are not hard with
letsencrypt, it's specifically intended you do automated renewals, there
are a variety of software and scripts for different environments to do it).

I don't see anything wrong with that, really.

There are cases where you really do need a wildcard cert -- an app which
has _dynamic_ hostnames, like a hostname for each user account (eg
jrochkind.github.io).  letsencrypt isn't going to work there, you really do
need a wildcard cert.

But just for a lot of hosts on the same TLD? They don't need a wildcard
cert, and there are reasons to prefer them _not_ having a single wildcard
cert (the revocation case, especially if they are all administered by
different units), they can each just have their own cert.

I am not sure what Kyle means by "encryption hides attacks".  Personally, I
think SSL encryption is a requirement for contemporary professionally
managed websites.  But the question of whether to use https or not at all
--  is really a separate issue than whether to use letsencrypt/acme for
your SSL certs.  If you decide you don't want/need https/SSL encryption at
all, then you don't need to consider letsencrypt as opposed to a more
manual cert provider at all. :)

I don't see any real reason letsencrypt would not be viable for a library.
You do need to have enough sysadmin ability to set up the automatic
renewals, and understand what's going on, yes, that could be a barrier I
suppose.  The main potential barrier I see is letsencrypt rate limits on
hosts-per-tld, for an academic institution that is going to have
hundreds/thousands of hosts within the TLD (*.university.edu). It seems
they will exempt a university from these rate limits with an email request.


I feel like there's a lot of FUD about letsencypt going around for some
reason.

I believe there are lots of all letsencrypt certs granted somewhere, it
might be possible to find those and look for *.edu's to find peer
institutions.

Jonathan



On Mon, Jun 19, 2017 at 2:00 PM, Kyle Banerjee 
wrote:

> I almost wrote it wouldn't work, but what works always depends on the
> particulars of your situation. For example, depending on how many domains
> you need and what mechanisms you're using, you might be able to use Subject
> Alternative Name (SAN) certificates to mitigate the lack of a wildcard
> certificate. Another thing I was thinking about as I wrote that is that a
> growing number of libraries provision resources with vendors such as Amazon
> -- for that, you'll need the cooperation of your institution.
>
> Automating renewal is a good practice. Remember when when the doi.org cert
> expired a few years back? Wasn't pretty and could have worked out much
> worse had the domain squatters been on the ball. It's not hard to automate,
> and instructions are easy enough to find. Even when squatters aren't an
> issue, expired certs cause all kinds of scary warnings.
>
> One of the big problems libraries face is that a lot of free stuff is not
> viable for many libraries that need help the most. The whole problem is
> these institutions often lack both staff and technical resources. And even
> if they do have someone with the requisite skills to build great stuff out
> of virtually nothing, they risk serious problems when that person leaves
> and they can't replace them with someone with similar abilities.
>
> It is taken as gospel here that encryption is always good, but it's always
> important to be aware of tradeoffs. For example, encryption hides
> attacks.  It can instill a false sense of security -- there are lots of
> ways to track activity that aren't affected by encryption. It prevents
> caching and complicates complying with CIPA as well as state law filtering
> requirements, and it could create issues if your services must communicate
> with legacy apps.
>
> kyle
>
>
>
> On Mon, Jun 19, 2017 at 7:54 AM, Kyle Breneman 
> wrote:
>
> > Thanks for chiming in, Kyle.  I think, in your second-to-last sentence,
> you
> > were about to say "impossible."  Is that right?  Also is it difficult to
> > setup automatic certificate renewal?  For the record, I'm not trying to
> > bypass any organizational processes here, just doing some legwork in
> hopes
> > of handing campus IT a suggestion that will save them money.
> >
> > Kyle
> >
> > On Mon, Jun 19, 2017 at 9:51 AM, Kyle Banerjee 
> > wrote:
> >
> > > There are a few other 

[CODE4LIB] OLE Senior UX, UI and Interaction Designer position available

[Holly L. Mistlebauer]

OLE  (the Open Library Environment, of 
which Cornell University Library is a member) has partnered with EBSCO and 
Index Data to build and implement FOLIO - a new open 
source library services platform.

OLE is seeking a talented, experienced designer who can drive design processes 
from research through concept development and iterations to actually creating 
usable mockups and interfaces.  The right candidate will have the following mix 
of knowledge and skills: information architecture, wireframing, visual design, 
interaction design and prototyping (both on paper and digitally).

This position is administered by Cornell University, an OLE partner 
institution; however, the Index Data and OLE teams are distributed 
internationally so there is flexibility in location and work hours. You may be 
able to work from home!

This is a two-year benefits-eligible appointment starting immediately.

For more information or to apply for this position, please go to 
https://cornell.wd1.myworkdayjobs.com/en-US/CornellCareerPage/job/Ithaca-Main-Campus/OLE-Senior-UX--UI-and-Integration-Designer_WDR-00010901

Re: [CODE4LIB] [lita-l] Public institutions using Let's Encrypt for security certificates?

[Junior Tidal]

We use it for our library.

Best,
Junior


Junior Tidal
Associate Professor
Web Services and Multimedia Librarian
New York City College of Technology, CUNY 
300 Jay Street, Rm A434
Brooklyn, NY 11201
718.260.5481
 
http://library.citytech.cuny.edu



-Original Message-
From: Code for Libraries [mailto:CODE4LIB@LISTS.CLIR.ORG] On Behalf Of William 
Denton
Sent: Monday, June 19, 2017 1:57 PM
To: CODE4LIB@LISTS.CLIR.ORG
Subject: Re: [CODE4LIB] [lita-l] Public institutions using Let's Encrypt for 
security certificates?

On 18 June 2017, Jonathan Rochkind wrote:

> I'm actually having trouble finding an academic institution, or even a 
> standard ecommerce site, that DOES use an EV cert.

Where I work the library moved over to HTTPS a few months ago, and I'm happy to 
say we have one, thanks to university IT:

https://www.library.yorku.ca/web/

Bill
--
William Denton :: Toronto, Canada :: https://www.miskatonic.org/ Caveat lector.

[CODE4LIB] Job Posting: Digital Repository Developer at Boston Public Library

[Eben English]

The Boston Public Library is seeking a talented programmer to help develop
and maintain the core technical infrastructure for Digital Commonwealth (
https://digitalcommonwealth.org/) an open-source digital object repository
system used by Massachusetts libraries, archives, historical societies, and
museums to store and deliver digital resources to users across the state
and beyond.

Working closely with the metadata and imaging teams at the BPL, this
position develops and deploys open-source and commercial applications to
create an OAIS-compliant digital repository infrastructure on both local
and cloud-based environments to support the ingest, storage, preservation,
discovery, and distribution of digital resources; assists in the
extraction, aggregation, and transformation of depositor data into
repository-compliant metadata structures; extends and enhances digital
content by developing APIs and other tools to facilitate multiple
submission and access pathways and administrative analytics; implements
identity management and authentication policies and procedures to support
state-wide usability; and implements fixity checking and data backup
policies and procedures.

Qualifications:

 * Bachelor’s Degree in Computer Science or Computer Engineering (or an
equivalent area) from an accredited college or university with a focus on
programming, applications development, and scripting languages.
 * Minimum of 4 years experience of significant development experience in
an object-oriented environment such as Ruby, Python, or Java.
 * Significant experience installing and maintaining web application
components (Apache, Tomcat, NGINX, MySQL, PostgreSQL, etc.) in a Linux
server environment, preferably on virtualized and/or cloud-computing
platforms.
 * Working knowledge of Semantic Web/Linked Data components such as RDF,
SPARQL, and OWL.
 * Demonstrated familiarity with image, audio, video, and text file formats
- especially as they relate to digital library standards,
encoding/decoding/transcoding, and related metadata schemas.
 * Experience with software version control, Test-Driven Development and
Continuous Integration services.
 * Experience with open-source repository systems such as Fedora Commons,
Omeka, or DSpace and affiliated projects and service providers such as
Samvera (formerly known as Hydra), Islandora, and Duraspace.
 * Demonstrated project management experience.
 * Experience working in a cultural heritage (libraries, archives,
museums), academic, or research institution preferred.

The successful candidate must be a resident of the City of Boston upon the
first day of hire, and must successfully clear a Criminal Offenders Record
Information check.

For more information, including salary range and how to apply go to:
https://city-boston.icims.com/jobs/13334/digital-repository-developer/job.

Re: [CODE4LIB] [lita-l] Public institutions using Let's Encrypt for security certificates?

[Kyle Banerjee]

I almost wrote it wouldn't work, but what works always depends on the
particulars of your situation. For example, depending on how many domains
you need and what mechanisms you're using, you might be able to use Subject
Alternative Name (SAN) certificates to mitigate the lack of a wildcard
certificate. Another thing I was thinking about as I wrote that is that a
growing number of libraries provision resources with vendors such as Amazon
-- for that, you'll need the cooperation of your institution.

Automating renewal is a good practice. Remember when when the doi.org cert
expired a few years back? Wasn't pretty and could have worked out much
worse had the domain squatters been on the ball. It's not hard to automate,
and instructions are easy enough to find. Even when squatters aren't an
issue, expired certs cause all kinds of scary warnings.

One of the big problems libraries face is that a lot of free stuff is not
viable for many libraries that need help the most. The whole problem is
these institutions often lack both staff and technical resources. And even
if they do have someone with the requisite skills to build great stuff out
of virtually nothing, they risk serious problems when that person leaves
and they can't replace them with someone with similar abilities.

It is taken as gospel here that encryption is always good, but it's always
important to be aware of tradeoffs. For example, encryption hides
attacks.  It can instill a false sense of security -- there are lots of
ways to track activity that aren't affected by encryption. It prevents
caching and complicates complying with CIPA as well as state law filtering
requirements, and it could create issues if your services must communicate
with legacy apps.

kyle



On Mon, Jun 19, 2017 at 7:54 AM, Kyle Breneman 
wrote:

> Thanks for chiming in, Kyle.  I think, in your second-to-last sentence, you
> were about to say "impossible."  Is that right?  Also is it difficult to
> setup automatic certificate renewal?  For the record, I'm not trying to
> bypass any organizational processes here, just doing some legwork in hopes
> of handing campus IT a suggestion that will save them money.
>
> Kyle
>
> On Mon, Jun 19, 2017 at 9:51 AM, Kyle Banerjee 
> wrote:
>
> > There are a few other catches. For example, you need to be able to run an
> > appropriate ACME client and set up automatic certificate renewal since
> the
> > maximum length you can get is 90 days. You also can't get wildcard
> > certificates which makes doing things like proxying by host name (e.g.
> > ezproxy). Your organization might also care if you bypass their process
> for
> > getting domain names.
> >
> > kyle
> >
> > On Mon, Jun 19, 2017 at 5:41 AM, Jonathan Rochkind 
> > wrote:
> >
> > > Here's a thread about per-TLD rate limits being a problem for
> > universities;
> > > it seems per a post at the end of that thread that letsencrypt might
> > exempt
> > > your institution from ratelimits, but an official agent of the
> university
> > > needs to submit the request:
> > >
> > > https://community.letsencrypt.org/t/rate-limiting-at-an-
> > > educational-institution/5910/24
> > >
> > >
> > >
> > > On Mon, Jun 19, 2017 at 8:27 AM, Kyle Breneman <
> tomeconque...@gmail.com>
> > > wrote:
> > >
> > > > Thanks for that detailed and interesting reply, Jonathan.
> > > >
> > > > On Sun, Jun 18, 2017 at 12:35 PM, Jonathan Rochkind <
> jonat...@dnil.net
> > >
> > > > wrote:
> > > >
> > > > > Just to clarify, by "Commercial certificates offer stronger proof
> of
> > > > > identity", you mean an "Extended Validation" (EV) certificate.
> > > > > https://en.wikipedia.org/wiki/Extended_Validation_Certificate
> > > > >
> > > > > If you are getting a 'commercial certificate' that is a standard
> > > 'domain
> > > > > validated' cert instead of an EV cert, you are not getting any
> > stronger
> > > > > proof of identity than you would from letsencrypt.
> > > > >
> > > > > The cert used at https://www.ubalt.edu does NOT appear to be an EV
> > > cert,
> > > > > but an ordinary domain validated one. (Additionally, that
> particular
> > > web
> > > > > page serves http: images , triggering browser mixed content
> > warnings!).
> > > > >
> > > > > Same thing for the cert at https://langsdale.ubalt.edu/.
> > > > >
> > > > > Looking at another Maryland public university:  https://umd.edu/
> > > appears
> > > > > similar. NOT an EV cert, and additionally serving http assets
> > > triggering
> > > > a
> > > > > mixed content warning.
> > > > >
> > > > > I'm actually having trouble finding an academic institution, or
> even
> > a
> > > > > standard ecommerce site, that DOES use an EV cert.
> > > > >
> > > > > You can tell it's an EV cert when chrome or Firefox put the name of
> > the
> > > > > organization in the location bar to the left of URL.  Additionally,
> > in
> > > > > Firefox, if you click that name, then click the right-chevron 'more
> > > info'
> > > > > icon, then click "More information", under "Website Ident

Re: [CODE4LIB] [lita-l] Public institutions using Let's Encrypt for security certificates?

[William Denton]

On 18 June 2017, Jonathan Rochkind wrote:


I'm actually having trouble finding an academic institution, or even a
standard ecommerce site, that DOES use an EV cert.


Where I work the library moved over to HTTPS a few months ago, and I'm happy to 
say we have one, thanks to university IT:


https://www.library.yorku.ca/web/

Bill
--
William Denton :: Toronto, Canada :: https://www.miskatonic.org/
Caveat lector.

Re: [CODE4LIB] [lita-l] Public institutions using Let's Encrypt for security certificates?

[Cary Gordon]

In my experience, it has become very easy to setup renewal. It has gotten
easier with every release.

Cary

On Mon, Jun 19, 2017 at 7:55 AM Kyle Breneman 
wrote:

> Thanks for chiming in, Kyle.  I think, in your second-to-last sentence, you
> were about to say "impossible."  Is that right?  Also is it difficult to
> setup automatic certificate renewal?  For the record, I'm not trying to
> bypass any organizational processes here, just doing some legwork in hopes
> of handing campus IT a suggestion that will save them money.
>
> Kyle
>
> On Mon, Jun 19, 2017 at 9:51 AM, Kyle Banerjee 
> wrote:
>
> > There are a few other catches. For example, you need to be able to run an
> > appropriate ACME client and set up automatic certificate renewal since
> the
> > maximum length you can get is 90 days. You also can't get wildcard
> > certificates which makes doing things like proxying by host name (e.g.
> > ezproxy). Your organization might also care if you bypass their process
> for
> > getting domain names.
> >
> > kyle
> >
> > On Mon, Jun 19, 2017 at 5:41 AM, Jonathan Rochkind 
> > wrote:
> >
> > > Here's a thread about per-TLD rate limits being a problem for
> > universities;
> > > it seems per a post at the end of that thread that letsencrypt might
> > exempt
> > > your institution from ratelimits, but an official agent of the
> university
> > > needs to submit the request:
> > >
> > > https://community.letsencrypt.org/t/rate-limiting-at-an-
> > > educational-institution/5910/24
> > >
> > >
> > >
> > > On Mon, Jun 19, 2017 at 8:27 AM, Kyle Breneman <
> tomeconque...@gmail.com>
> > > wrote:
> > >
> > > > Thanks for that detailed and interesting reply, Jonathan.
> > > >
> > > > On Sun, Jun 18, 2017 at 12:35 PM, Jonathan Rochkind <
> jonat...@dnil.net
> > >
> > > > wrote:
> > > >
> > > > > Just to clarify, by "Commercial certificates offer stronger proof
> of
> > > > > identity", you mean an "Extended Validation" (EV) certificate.
> > > > > https://en.wikipedia.org/wiki/Extended_Validation_Certificate
> > > > >
> > > > > If you are getting a 'commercial certificate' that is a standard
> > > 'domain
> > > > > validated' cert instead of an EV cert, you are not getting any
> > stronger
> > > > > proof of identity than you would from letsencrypt.
> > > > >
> > > > > The cert used at https://www.ubalt.edu does NOT appear to be an EV
> > > cert,
> > > > > but an ordinary domain validated one. (Additionally, that
> particular
> > > web
> > > > > page serves http: images , triggering browser mixed content
> > warnings!).
> > > > >
> > > > > Same thing for the cert at https://langsdale.ubalt.edu/.
> > > > >
> > > > > Looking at another Maryland public university:  https://umd.edu/
> > > appears
> > > > > similar. NOT an EV cert, and additionally serving http assets
> > > triggering
> > > > a
> > > > > mixed content warning.
> > > > >
> > > > > I'm actually having trouble finding an academic institution, or
> even
> > a
> > > > > standard ecommerce site, that DOES use an EV cert.
> > > > >
> > > > > You can tell it's an EV cert when chrome or Firefox put the name of
> > the
> > > > > organization in the location bar to the left of URL.  Additionally,
> > in
> > > > > Firefox, if you click that name, then click the right-chevron 'more
> > > info'
> > > > > icon, then click "More information", under "Website Identity" it
> will
> > > > list
> > > > > an "Owner:" for an EV cert. For an ordinary domain-validated cert,
> it
> > > > will
> > > > > list "This website does not supply ownership information" instead.
> > > > >
> > > > > Here's an example of an EV cert, the cert on digicert.com, a
> seller
> > of
> > > > > certs:
> > > > >
> > > > > https://www.digicert.com/
> > > > >
> > > > > If your cert is not EV but is just "domain validated", then despite
> > it
> > > > > being "commercial" it supplies the same level of proof of identity
> > as a
> > > > > letsencrypt cert -- proof of control of the domain at the time the
> > cert
> > > > was
> > > > > issued, either way.
> > > > >
> > > > >
> > > > >
> > > > > On Sat, Jun 17, 2017 at 1:53 PM, Cary Gordon  >
> > > > wrote:
> > > > >
> > > > > > We are starting to roll out LetsEncrypt for all of our services
> and
> > > > > > clients who do not use or want commercial certificates.
> > > > > >
> > > > > > Note that LetsEncrypt offers only domain authentication, in most
> > > cases
> > > > > > specifically validated by your control of the server. Commercial
> > > > > > certificates offer stronger proof of identity.
> > > > > >
> > > > > > We recommend commercial certificates for any sites that conduct
> > > > financial
> > > > > > transactions or require HIPPA compliance.
> > > > > >
> > > > > > Thanks,
> > > > > >
> > > > > > Cary
> > > > > >
> > > > > > Cary Gordon
> > > > > > The Cherry Hill Company
> > > > > > http://chillco.com
> > > > > >
> > > > > >
> > > > > > > On Jun 16, 2017, at 12:34 PM, Kyle Breneman (via lita-l Mailing
> > > > List) <
> > > > > > lit...@lists.ala.org>

Re: [CODE4LIB] [lita-l] Public institutions using Let's Encrypt for security certificates?

[Kyle Breneman]

Thanks for chiming in, Kyle.  I think, in your second-to-last sentence, you
were about to say "impossible."  Is that right?  Also is it difficult to
setup automatic certificate renewal?  For the record, I'm not trying to
bypass any organizational processes here, just doing some legwork in hopes
of handing campus IT a suggestion that will save them money.

Kyle

On Mon, Jun 19, 2017 at 9:51 AM, Kyle Banerjee 
wrote:

> There are a few other catches. For example, you need to be able to run an
> appropriate ACME client and set up automatic certificate renewal since the
> maximum length you can get is 90 days. You also can't get wildcard
> certificates which makes doing things like proxying by host name (e.g.
> ezproxy). Your organization might also care if you bypass their process for
> getting domain names.
>
> kyle
>
> On Mon, Jun 19, 2017 at 5:41 AM, Jonathan Rochkind 
> wrote:
>
> > Here's a thread about per-TLD rate limits being a problem for
> universities;
> > it seems per a post at the end of that thread that letsencrypt might
> exempt
> > your institution from ratelimits, but an official agent of the university
> > needs to submit the request:
> >
> > https://community.letsencrypt.org/t/rate-limiting-at-an-
> > educational-institution/5910/24
> >
> >
> >
> > On Mon, Jun 19, 2017 at 8:27 AM, Kyle Breneman 
> > wrote:
> >
> > > Thanks for that detailed and interesting reply, Jonathan.
> > >
> > > On Sun, Jun 18, 2017 at 12:35 PM, Jonathan Rochkind  >
> > > wrote:
> > >
> > > > Just to clarify, by "Commercial certificates offer stronger proof of
> > > > identity", you mean an "Extended Validation" (EV) certificate.
> > > > https://en.wikipedia.org/wiki/Extended_Validation_Certificate
> > > >
> > > > If you are getting a 'commercial certificate' that is a standard
> > 'domain
> > > > validated' cert instead of an EV cert, you are not getting any
> stronger
> > > > proof of identity than you would from letsencrypt.
> > > >
> > > > The cert used at https://www.ubalt.edu does NOT appear to be an EV
> > cert,
> > > > but an ordinary domain validated one. (Additionally, that particular
> > web
> > > > page serves http: images , triggering browser mixed content
> warnings!).
> > > >
> > > > Same thing for the cert at https://langsdale.ubalt.edu/.
> > > >
> > > > Looking at another Maryland public university:  https://umd.edu/
> > appears
> > > > similar. NOT an EV cert, and additionally serving http assets
> > triggering
> > > a
> > > > mixed content warning.
> > > >
> > > > I'm actually having trouble finding an academic institution, or even
> a
> > > > standard ecommerce site, that DOES use an EV cert.
> > > >
> > > > You can tell it's an EV cert when chrome or Firefox put the name of
> the
> > > > organization in the location bar to the left of URL.  Additionally,
> in
> > > > Firefox, if you click that name, then click the right-chevron 'more
> > info'
> > > > icon, then click "More information", under "Website Identity" it will
> > > list
> > > > an "Owner:" for an EV cert. For an ordinary domain-validated cert, it
> > > will
> > > > list "This website does not supply ownership information" instead.
> > > >
> > > > Here's an example of an EV cert, the cert on digicert.com, a seller
> of
> > > > certs:
> > > >
> > > > https://www.digicert.com/
> > > >
> > > > If your cert is not EV but is just "domain validated", then despite
> it
> > > > being "commercial" it supplies the same level of proof of identity
> as a
> > > > letsencrypt cert -- proof of control of the domain at the time the
> cert
> > > was
> > > > issued, either way.
> > > >
> > > >
> > > >
> > > > On Sat, Jun 17, 2017 at 1:53 PM, Cary Gordon 
> > > wrote:
> > > >
> > > > > We are starting to roll out LetsEncrypt for all of our services and
> > > > > clients who do not use or want commercial certificates.
> > > > >
> > > > > Note that LetsEncrypt offers only domain authentication, in most
> > cases
> > > > > specifically validated by your control of the server. Commercial
> > > > > certificates offer stronger proof of identity.
> > > > >
> > > > > We recommend commercial certificates for any sites that conduct
> > > financial
> > > > > transactions or require HIPPA compliance.
> > > > >
> > > > > Thanks,
> > > > >
> > > > > Cary
> > > > >
> > > > > Cary Gordon
> > > > > The Cherry Hill Company
> > > > > http://chillco.com
> > > > >
> > > > >
> > > > > > On Jun 16, 2017, at 12:34 PM, Kyle Breneman (via lita-l Mailing
> > > List) <
> > > > > lit...@lists.ala.org> wrote:
> > > > > >
> > > > > > Apologies for cross-posting...
> > > > > >
> > > > > > Anyone out there working at a public institution that's using
> Let's
> > > > > Encrypt for security certificates?  I just suggested to our campus
> IT
> > > > that
> > > > > we switch to using Let's Encrypt.  They told me it would need to
> > clear
> > > > > State of Maryland approval process first, and suggested that it
> would
> > > be
> > > > > helpful to be able to point to other public institution

Re: [CODE4LIB] Functional requirements for open-source repositories

[Thomas Guignard]

Hi Paige

We recently went through a process to replace our repository software
(III/VTLS Vital) and although we did not explicitly state that the
replacement had to be open source, it was one of the criteria in the RFI
that we distributed. And as others said above, the existence of a large and
active community of users around the solution that we ended up choosing
(Islandora) played a large role in our decision.

We drew inspiration from this for our own list of functional requirements:
http://www.unesco.org/new/fileadmin/MULTIMEDIA/HQ/CI/CI/pdf/news/institutional_repository_software.pdf

Thomas


On Tue, Jun 13, 2017 at 12:44 PM, Phillips, Jean 
wrote:

> Paige,
>
>
> I don't know if I've ever required that a platform be open source in the
> functional specs.  In my experience the successful open source systems have
> been chosen based on flexibility, ability to locally customize and
> opportunity for development.
>
>
> My 2 cents.
>
>
> Jean
>
>
> Jean Phillips
> Associate Dean of Libraries for Technology & Digital Scholarship
> Florida State University, Strozier Library
> Email: jsphilli...@fsu.edu
> 
> From: Code for Libraries  on behalf of Erin
> Tripp 
> Sent: Friday, June 9, 2017 8:41:59 AM
> To: CODE4LIB@LISTS.CLIR.ORG
> Subject: Re: [CODE4LIB] Functional requirements for open-source
> repositories
>
> Hi Paige,
>
> I've responded to RFPs in the past that indicate an open source preference
> as a business requirement. The functional requirements don't usually
> specify platform or license, but focus on a detailed account of a user
> undertaking an action and the desired result. Boston College has an
> Islandora institutional repository (http://dlib.bc.edu/) that's been
> operational for a few years. The team running that project would have a
> great deal of experience, especially with migration from DigiTool.
>
> DuraSpace fosters the DSpace and Fedora platforms (Fedora as a backend for
> Islandora/Hydra/Hyku). If you'd like to discuss what options are out there,
> I'd be happy to help. We're contacted regularly by folks who would like to
> know what's out there. We do out best to point people in the direction of
> helpful resources and contacts.
>
> Erin Tripp
> Business Development Manager
> etr...@duraspace.org
> Duraspace
>
> On Wed, Jun 7, 2017 at 2:28 PM, Christopher Davis 
> wrote:
>
> > Paige,
> >
> > Kyle's reply to your message reminds me if an important truth which I
> > learned a few years ago- no software app or system (open source or
> > proprietary) will succeed in this world without an open and active
> support
> > community made up of users and developers. How many people actually pay
> > Microsoft for technical support these days? Instead, when one has a
> > problem, they search or ask a forum of users and developers for a
> solution.
> >
> > If software does not offer such a community to my project (even if it
> > offers every feature under the sun and is bug free), then I do not
> consider
> > it. Thanks to Terry Reese's advice, I will always look at the
> > interoperability of software and protocols as well (I think that healthy
> > support communities and interoperability almost always come hand-in-hand
> > though).
> >
> > FWIW,
> > Christopher Davis
> > Uintah County Library
> >
> > On June 7, 2017 10:46:54 AM MDT, Kyle Banerjee 
> > wrote:
> > >Hi Paige,
> > >
> > >Most libraries (including every one I've worked at) create a list of
> > >required, preferred, and optional requirements. The basic idea is you
> > >make
> > >a grid and check off which of those requirements is supported and move
> > >forward from there.
> > >
> > >However, the devil is in the details and the meaning of the word
> > >"support"
> > >is so slippery as to be virtually meaningless in both the open source
> > >and
> > >proprietary spheres. Even in a perfect world where all software bugs
> > >have
> > >gone extinct, support for standards, functions, technologies, and
> > >processes
> > >is inevitably based on assumptions of needs which in turn presume
> > >things
> > >like workflows, data, etc. -- so it is common to find yourself where a
> > >product can legitimately claim to support exactly what you need and be
> > >totally useless even before you consider whether the product is a good
> > >fit
> > >for your environment. Conversely, the mechanisms through which a
> > >product
> > >behaves may be able to easily achieve what you need even though it
> > >theoretically doesn't support it at all.
> > >
> > >The most important thing is to understand what you need and the
> > >mechanisms
> > >by which various products can meet those needs. I personally feel there
> > >is
> > >no substitute for talking directly to people with intimate
> > >understanding of
> > >your needs who can provide a balanced picture of how a product might
> > >meet
> > >your needs.
> > >
> > >kyle
> > >
> > >
> > >
> > >On Wed, Jun 7, 2017 at 8:34 AM, Paige Walker
> > >
> > >

Re: [CODE4LIB] [lita-l] Public institutions using Let's Encrypt for security certificates?

[Kyle Banerjee]

There are a few other catches. For example, you need to be able to run an
appropriate ACME client and set up automatic certificate renewal since the
maximum length you can get is 90 days. You also can't get wildcard
certificates which makes doing things like proxying by host name (e.g.
ezproxy). Your organization might also care if you bypass their process for
getting domain names.

kyle

On Mon, Jun 19, 2017 at 5:41 AM, Jonathan Rochkind 
wrote:

> Here's a thread about per-TLD rate limits being a problem for universities;
> it seems per a post at the end of that thread that letsencrypt might exempt
> your institution from ratelimits, but an official agent of the university
> needs to submit the request:
>
> https://community.letsencrypt.org/t/rate-limiting-at-an-
> educational-institution/5910/24
>
>
>
> On Mon, Jun 19, 2017 at 8:27 AM, Kyle Breneman 
> wrote:
>
> > Thanks for that detailed and interesting reply, Jonathan.
> >
> > On Sun, Jun 18, 2017 at 12:35 PM, Jonathan Rochkind 
> > wrote:
> >
> > > Just to clarify, by "Commercial certificates offer stronger proof of
> > > identity", you mean an "Extended Validation" (EV) certificate.
> > > https://en.wikipedia.org/wiki/Extended_Validation_Certificate
> > >
> > > If you are getting a 'commercial certificate' that is a standard
> 'domain
> > > validated' cert instead of an EV cert, you are not getting any stronger
> > > proof of identity than you would from letsencrypt.
> > >
> > > The cert used at https://www.ubalt.edu does NOT appear to be an EV
> cert,
> > > but an ordinary domain validated one. (Additionally, that particular
> web
> > > page serves http: images , triggering browser mixed content warnings!).
> > >
> > > Same thing for the cert at https://langsdale.ubalt.edu/.
> > >
> > > Looking at another Maryland public university:  https://umd.edu/
> appears
> > > similar. NOT an EV cert, and additionally serving http assets
> triggering
> > a
> > > mixed content warning.
> > >
> > > I'm actually having trouble finding an academic institution, or even a
> > > standard ecommerce site, that DOES use an EV cert.
> > >
> > > You can tell it's an EV cert when chrome or Firefox put the name of the
> > > organization in the location bar to the left of URL.  Additionally, in
> > > Firefox, if you click that name, then click the right-chevron 'more
> info'
> > > icon, then click "More information", under "Website Identity" it will
> > list
> > > an "Owner:" for an EV cert. For an ordinary domain-validated cert, it
> > will
> > > list "This website does not supply ownership information" instead.
> > >
> > > Here's an example of an EV cert, the cert on digicert.com, a seller of
> > > certs:
> > >
> > > https://www.digicert.com/
> > >
> > > If your cert is not EV but is just "domain validated", then despite it
> > > being "commercial" it supplies the same level of proof of identity as a
> > > letsencrypt cert -- proof of control of the domain at the time the cert
> > was
> > > issued, either way.
> > >
> > >
> > >
> > > On Sat, Jun 17, 2017 at 1:53 PM, Cary Gordon 
> > wrote:
> > >
> > > > We are starting to roll out LetsEncrypt for all of our services and
> > > > clients who do not use or want commercial certificates.
> > > >
> > > > Note that LetsEncrypt offers only domain authentication, in most
> cases
> > > > specifically validated by your control of the server. Commercial
> > > > certificates offer stronger proof of identity.
> > > >
> > > > We recommend commercial certificates for any sites that conduct
> > financial
> > > > transactions or require HIPPA compliance.
> > > >
> > > > Thanks,
> > > >
> > > > Cary
> > > >
> > > > Cary Gordon
> > > > The Cherry Hill Company
> > > > http://chillco.com
> > > >
> > > >
> > > > > On Jun 16, 2017, at 12:34 PM, Kyle Breneman (via lita-l Mailing
> > List) <
> > > > lit...@lists.ala.org> wrote:
> > > > >
> > > > > Apologies for cross-posting...
> > > > >
> > > > > Anyone out there working at a public institution that's using Let's
> > > > Encrypt for security certificates?  I just suggested to our campus IT
> > > that
> > > > we switch to using Let's Encrypt.  They told me it would need to
> clear
> > > > State of Maryland approval process first, and suggested that it would
> > be
> > > > helpful to be able to point to other public institutions that are
> using
> > > it.
> > > > >
> > > > > Regards,
> > > > > Kyle Breneman
> > > > > Integrated Digital Services Librarian
> > > > > University of Baltimore
> > > > >
> > > > > To maximize your use of LITA-L or to unsubscribe, see
> > > > http://www.ala.org/lita/involve/email
> > > >
> > >
> >
>

Re: [CODE4LIB] [lita-l] Public institutions using Let's Encrypt for security certificates?

[Jonathan Rochkind]

Here's a thread about per-TLD rate limits being a problem for universities;
it seems per a post at the end of that thread that letsencrypt might exempt
your institution from ratelimits, but an official agent of the university
needs to submit the request:

https://community.letsencrypt.org/t/rate-limiting-at-an-educational-institution/5910/24



On Mon, Jun 19, 2017 at 8:27 AM, Kyle Breneman 
wrote:

> Thanks for that detailed and interesting reply, Jonathan.
>
> On Sun, Jun 18, 2017 at 12:35 PM, Jonathan Rochkind 
> wrote:
>
> > Just to clarify, by "Commercial certificates offer stronger proof of
> > identity", you mean an "Extended Validation" (EV) certificate.
> > https://en.wikipedia.org/wiki/Extended_Validation_Certificate
> >
> > If you are getting a 'commercial certificate' that is a standard 'domain
> > validated' cert instead of an EV cert, you are not getting any stronger
> > proof of identity than you would from letsencrypt.
> >
> > The cert used at https://www.ubalt.edu does NOT appear to be an EV cert,
> > but an ordinary domain validated one. (Additionally, that particular web
> > page serves http: images , triggering browser mixed content warnings!).
> >
> > Same thing for the cert at https://langsdale.ubalt.edu/.
> >
> > Looking at another Maryland public university:  https://umd.edu/ appears
> > similar. NOT an EV cert, and additionally serving http assets triggering
> a
> > mixed content warning.
> >
> > I'm actually having trouble finding an academic institution, or even a
> > standard ecommerce site, that DOES use an EV cert.
> >
> > You can tell it's an EV cert when chrome or Firefox put the name of the
> > organization in the location bar to the left of URL.  Additionally, in
> > Firefox, if you click that name, then click the right-chevron 'more info'
> > icon, then click "More information", under "Website Identity" it will
> list
> > an "Owner:" for an EV cert. For an ordinary domain-validated cert, it
> will
> > list "This website does not supply ownership information" instead.
> >
> > Here's an example of an EV cert, the cert on digicert.com, a seller of
> > certs:
> >
> > https://www.digicert.com/
> >
> > If your cert is not EV but is just "domain validated", then despite it
> > being "commercial" it supplies the same level of proof of identity as a
> > letsencrypt cert -- proof of control of the domain at the time the cert
> was
> > issued, either way.
> >
> >
> >
> > On Sat, Jun 17, 2017 at 1:53 PM, Cary Gordon 
> wrote:
> >
> > > We are starting to roll out LetsEncrypt for all of our services and
> > > clients who do not use or want commercial certificates.
> > >
> > > Note that LetsEncrypt offers only domain authentication, in most cases
> > > specifically validated by your control of the server. Commercial
> > > certificates offer stronger proof of identity.
> > >
> > > We recommend commercial certificates for any sites that conduct
> financial
> > > transactions or require HIPPA compliance.
> > >
> > > Thanks,
> > >
> > > Cary
> > >
> > > Cary Gordon
> > > The Cherry Hill Company
> > > http://chillco.com
> > >
> > >
> > > > On Jun 16, 2017, at 12:34 PM, Kyle Breneman (via lita-l Mailing
> List) <
> > > lit...@lists.ala.org> wrote:
> > > >
> > > > Apologies for cross-posting...
> > > >
> > > > Anyone out there working at a public institution that's using Let's
> > > Encrypt for security certificates?  I just suggested to our campus IT
> > that
> > > we switch to using Let's Encrypt.  They told me it would need to clear
> > > State of Maryland approval process first, and suggested that it would
> be
> > > helpful to be able to point to other public institutions that are using
> > it.
> > > >
> > > > Regards,
> > > > Kyle Breneman
> > > > Integrated Digital Services Librarian
> > > > University of Baltimore
> > > >
> > > > To maximize your use of LITA-L or to unsubscribe, see
> > > http://www.ala.org/lita/involve/email
> > >
> >
>

Re: [CODE4LIB] [lita-l] Public institutions using Let's Encrypt for security certificates?

[Kyle Breneman]

Thanks for that detailed and interesting reply, Jonathan.

On Sun, Jun 18, 2017 at 12:35 PM, Jonathan Rochkind 
wrote:

> Just to clarify, by "Commercial certificates offer stronger proof of
> identity", you mean an "Extended Validation" (EV) certificate.
> https://en.wikipedia.org/wiki/Extended_Validation_Certificate
>
> If you are getting a 'commercial certificate' that is a standard 'domain
> validated' cert instead of an EV cert, you are not getting any stronger
> proof of identity than you would from letsencrypt.
>
> The cert used at https://www.ubalt.edu does NOT appear to be an EV cert,
> but an ordinary domain validated one. (Additionally, that particular web
> page serves http: images , triggering browser mixed content warnings!).
>
> Same thing for the cert at https://langsdale.ubalt.edu/.
>
> Looking at another Maryland public university:  https://umd.edu/ appears
> similar. NOT an EV cert, and additionally serving http assets triggering a
> mixed content warning.
>
> I'm actually having trouble finding an academic institution, or even a
> standard ecommerce site, that DOES use an EV cert.
>
> You can tell it's an EV cert when chrome or Firefox put the name of the
> organization in the location bar to the left of URL.  Additionally, in
> Firefox, if you click that name, then click the right-chevron 'more info'
> icon, then click "More information", under "Website Identity" it will list
> an "Owner:" for an EV cert. For an ordinary domain-validated cert, it will
> list "This website does not supply ownership information" instead.
>
> Here's an example of an EV cert, the cert on digicert.com, a seller of
> certs:
>
> https://www.digicert.com/
>
> If your cert is not EV but is just "domain validated", then despite it
> being "commercial" it supplies the same level of proof of identity as a
> letsencrypt cert -- proof of control of the domain at the time the cert was
> issued, either way.
>
>
>
> On Sat, Jun 17, 2017 at 1:53 PM, Cary Gordon  wrote:
>
> > We are starting to roll out LetsEncrypt for all of our services and
> > clients who do not use or want commercial certificates.
> >
> > Note that LetsEncrypt offers only domain authentication, in most cases
> > specifically validated by your control of the server. Commercial
> > certificates offer stronger proof of identity.
> >
> > We recommend commercial certificates for any sites that conduct financial
> > transactions or require HIPPA compliance.
> >
> > Thanks,
> >
> > Cary
> >
> > Cary Gordon
> > The Cherry Hill Company
> > http://chillco.com
> >
> >
> > > On Jun 16, 2017, at 12:34 PM, Kyle Breneman (via lita-l Mailing List) <
> > lit...@lists.ala.org> wrote:
> > >
> > > Apologies for cross-posting...
> > >
> > > Anyone out there working at a public institution that's using Let's
> > Encrypt for security certificates?  I just suggested to our campus IT
> that
> > we switch to using Let's Encrypt.  They told me it would need to clear
> > State of Maryland approval process first, and suggested that it would be
> > helpful to be able to point to other public institutions that are using
> it.
> > >
> > > Regards,
> > > Kyle Breneman
> > > Integrated Digital Services Librarian
> > > University of Baltimore
> > >
> > > To maximize your use of LITA-L or to unsubscribe, see
> > http://www.ala.org/lita/involve/email
> >
>