Skip to Content.
Sympa Menu

cacert-devel - Re: LibreSSL: Organisation User Certificates, maybe little change to improve a lot? :-)

Subject: CAcert Code Development list.

List archive

Re: LibreSSL: Organisation User Certificates, maybe little change to improve a lot? :-)


Chronological Thread 
  • From: Faramir <faramir.cl AT gmail.com>
  • To: cacert-devel AT lists.cacert.org
  • Subject: Re: LibreSSL: Organisation User Certificates, maybe little change to improve a lot? :-)
  • Date: Tue, 16 Mar 2010 21:48:21 -0300
  • Authentication-results: lists.cacert.org; dkim=pass (1024-bit key) header.i= AT gmail.com; dkim-asp=none
  • Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:x-enigmail-version:openpgp:content-type :content-transfer-encoding; b=x9+GBP/QAth4MBXQDPxaMrE6vCcalNPPYQnow7kjwi8hnQj1oHO65SScRq/5FTx9s4 dSjdwfJ7lR5osAOrtupibErUk/d4UkdFhk8oL5u3a6MHRW2938SVLE45kz66oyOjWipY rU49v2mGQ04lnLjgKCRUjgmTzNEocsL3dzylY=
  • Openpgp: id=4319410E; url=http://tinyurl.com/0x4319410E
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Ian G escribió:
> On 16/03/2010 16:04, Mathieu Simon wrote:
...
> ...  OK, so we are definately in devil's advocate mode here ... as I

...
>> I have asked a our cantonal data protection mandate who basically said:
>> Even as the main sysadmin you should never ask or create
>> a private key that does not belong to you personally or u should have

...
> Well.  With all due respect to your cantonal data protection person, who
> I'm sure is a very nice person ... but *we are not in Switzerland*.  All
> CAcert stuff is located in NSW Australia, and if you allow others to
> start imposing local ideas on you, you are entering a world of pain.

  Right, but if we are not flexible about this, CAcert services would be
unusable at that place... and I think maybe the workaround doesn't
require modifying our policies.

  When I create a certificate, it is created in my browser, CAcert never
touches my private keys, and yet, CAcert can sign my certificate, or
revoke it if needed. If I understood it right, what Mathieu need, is to
be able to receive the CSR from the end user, and submit it to CAcert in
order to get it signed. So if the site allows him to paste the CSR,
instead of generating it in the browser, that would solve the problem.
Of course, it would need a patch...

  The Org would still be the one responsible, they would just not touch
the private key, but all other things would remain the same.

  Best Regards
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBCAAGBQJLoCbVAAoJEMV4f6PvczxA90cH/1Fj4EIk+87tDUJukVi1HtYY
Ruk64VQ3+N3tbtWNo1zkk1WEJqsRMDCsg0EwXONsDln7ki7w4HAimKfIrkN1XK0g
lldQEEq9XAr6VGzTujfQlb2UCDGASjqtqJMqSHYh63YxBqH35EKd378W7IoXlKEu
PjX90HOvcYALEUD9DZqk4wCOsujtPUtHpL27fhxnM5KWtkk9MBcPc4FY4apLk0p1
wgZQnic7NKEfa47nvdjIZfd8PIFO/pq5WLHGjQLckC127oyJ4vrP45Lp2ENXDL46
yRBT3xmhFi2V9jeUZVKdQ08ZmwQPUD6EpMbGw4eYI5y0WdhmU1bhxtgiF+jWfu8=
=ku4p
-----END PGP SIGNATURE-----

Archive powered by MHonArc 2.6.16.

Top of Page