CAcert Code Development list.

[Andreas Bäß <ab AT it-sls.de>]

Hi all!

Making a suggestion for changing the way Org certificates are generated
is on my agenda since the first day I saw how the process is implemented.

I had the same thought as Matthieu, that generating the keypair by the
org-admin is "not right". But at second thought it is not wrong, when
you consider the requirement that it does not allow private usage of
that account and that it requires the ability of getting access to the
private key if it feels it has to.

However I would like to add other ways how the organization might choose
to generate the keys:

+ Org might pass a one time password to the user that gives him the
right to generate a private key that is generated by the client software
and is never been seen by the org admin or CAcert
+ Org might pass a one time password to a user taht gives him the
opportunity to paste a CSR for a specific name into a input field to get
it signed

Beside the fact that the Org might not have access to the private key it
has the ability to revoke those certificates at any time and revoke the
one time passwords if they they fear that they have been compromised.

I have the feeling that that adding those options to the process CAcert
can provide the processes for Organisations taht are either allowing
strict privacy with "their" ressources leaving the control of the
private key to the individual and the processes he has to follow or take
the control to whon it hands the private key and keeping the ability to
get access to everything that has been encrypted with that key.

If there is anybody volunteering to make a suggestion what this means to
the org-assurance policy feel free to make a draft :-) I won't today as
I have other priorities.

Regards
Andreas
-- 
Andreas Bäß Service Level Solutions    E-Mail : 
ab AT it-sls.de
Hermann-Steinhäuser-Straße 43-47       Telefon: +49 69 979 474 43
63065 Offenbach am Main                Fax    : +49 69 979 474 45
USt-Id-Nr.: DE 258560003               Mobil  : +49 170 7644541

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature