Subject: CAcert Code Development list.
List archive
Re: LibreSSL: Organisation User Certificates, maybe little change to improve a lot? :-)
Chronological Thread
- From: Ian G <iang AT cacert.org>
- To: Mario Lipinski <mario AT cacert.org>
- Cc: cacert-devel AT lists.cacert.org
- Subject: Re: LibreSSL: Organisation User Certificates, maybe little change to improve a lot? :-)
- Date: Thu, 18 Mar 2010 21:41:17 +1100
- Authentication-results: lists.cacert.org; dkim=pass (1024-bit key) header.i= AT cacert.org; dkim-asp=none
On 18/03/2010 17:41, Mario Lipinski wrote:
Am 15.03.10 17:59, schrieb Ian G:
If we then move to the Orga Admin context, the member is the Org. In
which case the Org has many private keys which it gives out to its
employees (who are not members). So in this case, the Org is primarily
responsible for the usage of those keys ... just like the Org is
primarily responsible for the usage of the office computers or the
corporate seal for purchasing stuff.
So it should be up to the organisation. If orgs like to backup/store all
keys, they should. If they want only their employees to know the private
part, it should be also fine for us.
Exactly, that would be my view of the current writings of the other policies, especially CCA security obligations:
"to secure your private keys, "
where you == member. So what we need in the OAP is something like:
"The organisation as member is responsible for all actions
and results. It may delegate parts of the responsibilities,
such as key creation, storage, backup, signing and so forth
to personnel within its organisation, but this must be done
under either a general subsidiary policy of CAcert, or an
approved organisation-specific policy."
I mean, it could be anything, really. That was just what came out of my head. The point being that the auditor comes in and says, what are you doing, show me the docs. And then, show me you're following the docs.
Now, what would be helpful is to take something like that above text ... assuming agreement ... and post it into the PolicyDrafts page I mentioned earlier. Capture all this info. Then one weekend, we cram it all into a rewrite, and spring it on the policy group.
In that context it might be reasonable to have the Org pre-create all
the keys and then provision them into browsers. Indeed it might be
reasonable to suggest that the employees must not create their keys,
because they are not "us" ! But maybe we don't need to go that far if
it is clear that the Org is the responsible entity.
We sign certificates, not private keys. So management of the private
keys should be up to the organisation.
ok.
iang
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
- Re: LibreSSL: Organisation User Certificates, maybe little change to improve a lot? :-), (continued)
- Re: LibreSSL: Organisation User Certificates, maybe little change to improve a lot? :-), Ian G, 03/17/2010
- Re: LibreSSL: Organisation User Certificates, maybe little change to improve a lot? :-), Dieter Hennig, 03/17/2010
- Re: LibreSSL: Organisation User Certificates, maybe little change to improve a lot? :-), Dieter Hennig, 03/17/2010
- Re: LibreSSL: Organisation User Certificates, maybe little change to improve a lot? :-), Ian G, 03/17/2010
- Re: LibreSSL: Organisation User Certificates, maybe little change to improve a lot? :-), Mathieu Simon, 03/16/2010
- Re: LibreSSL: Organisation User Certificates, maybe little change to improve a lot? :-), Faramir, 03/17/2010
- Re: LibreSSL: Organisation User Certificates, maybe little change to improve a lot? :-), Mathieu Simon, 03/17/2010
- Re: LibreSSL: Organisation User Certificates, maybe little change to improve a lot? :-), Andreas Bäß, 03/17/2010
- Re: LibreSSL: Organisation User Certificates, maybe little change to improve a lot? :-), Ian G, 03/20/2010
- Re: LibreSSL: Organisation User Certificates, maybe little change to improve a lot? :-), Dieter Hennig, 03/20/2010
Archive powered by MHonArc 2.6.16.