Testing is for wimps - Proof we don't need it!



  • I suspected when I posted this, it would only be a matter of time before I'd have something to post - and that would be today.



    We use a convoluted version of a web service which involves us running a local copy of their "client" software (which is the web service we directly communicate with), which communicates to the hosted part of the web service, and to "ensure security", the locally hosted part uses EPF certificates to communicate with the remotely hosted bit.



    Last week, a couple of those certificates were due to expire. They emailed me the details to get the new ones, and I set about installing them on the UAT instance of the software. They didn't work, and after a bit of email tennis, repeated diagnostics and a few changes, they couldn't figure out why. As this was the day before the live ones were going to expire, on a whim, I (after backing up, of course) installed the new certificates on the live system (the certificates were assigned to either the UAT system or Live, I had some for each). It worked first time, and has gone past the original expiry date with no problems, other than having no UAT.



    After a bit more email tennis today, it transpires that during the last few days...


    1. There were never any issues at our end of the system (no surprise there then...)
    2. They tested the certificates before they were issued, which worked.... BUT....
    3. By testing them (AKA, following the same process I had to) meant that as far as they were concerned, they had been downloaded and installed, and my attempts to install them were then consequently invalid
    4. They issued me more certificates... again, after testing them
    5. The third and final batch they issued worked because... they didn't "test" them first



      And I was in direct contact with a "Senior" Distributed Applications Support technician who should have known better. I'd hate to see what happened if I got a call centre support monkey...


  •  I don't understand. Why would their testing (i.e. downloading and installing) invalidate the certificates? Or making it impossible for you to do the same?


  • Discourse touched me in a no-no place

    @TheRider said:

     I don't understand. Why would their testing (i.e. downloading and installing) invalidate the certificates? Or making it impossible for you to do the same?

    Presumably the first request to download the certificate ties the certificate to some property of the downloading entity, (say the public IP address for want of a better example - it's probably more involved such as a UUID associated with the client,) such that any other entities subsequently downloading it (from different public IPs) don't get 'validated,' but the original entity can still re-download it if required. Or it simply allows a once-only download.



    The 'testing' would be that first request, and MT's attempt at installation would be a request by some party other than the first to request the cert.



  • For those wondering, EPF is a file type used by Microsoft Outlook for importing/exporting digital signatures and UAT is user-acceptance testing.



  • @pinkduck said:

    For those wondering, EPF is a file type used by Microsoft Outlook for importing/exporting digital signatures and UAT is user-acceptance testing.

    And here I was thinking that UAT was "Upper Alimentary Tract", the nearest thing in a list of UATs that seemed to make sense.

    When are people going to learn that not everyone is familiar with their brand of vocabulary and should always spell out an acronym before using it. (Common acronyms like "USA" and "asap" excepted.)



  • @SilentRunner said:

    (Common acronyms like "USA" and "asap" excepted.)

    What is USA? In Holy People's Republic of Southwestern Uberikaristan, government not tell us of things like that...



  • @TheRider said:

     I don't understand. Why would their testing (i.e. downloading and installing) invalidate the certificates? Or making it impossible for you to do the same?


    Their "testing" wasn't so much "testing", rather "I'm gonna do the same process the end user has to" - Downloading and installing each of their certificates is kinda a one-shot deal though, and they should've known better!



  • Oh, so "downloading" really means "having a new certificate created for the IP address of the current client on-the-fly and download it, overwriting any pre-existing certificate"?



  • @TheRider said:

    Oh, so "downloading" really means "having a new certificate created for the IP address of the current client on-the-fly and download it, overwriting any pre-existing certificate"?


    They give me one ID number and passphrase in order to download each certificate. Once a download was successful, that ID & passphrase combo is then marked as used, no matter what IP address did the downloading.



    If I need another copy of the same certificate, normally I have to go pleading to their support desk, who then want me to explain in writing (in triplicate, using blood instead of ink) as to why I need another copy. Hopefully their guys would have had to lose some blood in order to generate some more download IDs in this instance.... but I'm willing to bet they just whipped them up in 3 seconds flat from their desktop PCs.



  • @MeesterTurner said:

    They give me one ID number and passphrase in order to download each certificate. Once a download was successful, that ID & passphrase combo is then marked as used, no matter what IP address did the downloading.
    It's not so much downloaded as it is generated on your machine, and then their server signs your public key (the private key never leaves your computer).



  • @ender said:

    @MeesterTurner said:
    They give me one ID number and passphrase in order to download each certificate. Once a download was successful, that ID & passphrase combo is then marked as used, no matter what IP address did the downloading.
    It's not so much downloaded as it is generated on your machine, and then their server signs your public key (the private key never leaves your computer).

    [citiation needed] Not that I don't believe you, but is this based on actual knowledge or are you just assuming they aren't being stupid?


Log in to reply