Subject: Policy-Discussion
List archive
- From: "Peter Williams" <home_pw AT msn.com>
- To: cacert-policy AT lists.cacert.org
- Subject: RE: [CAcert-Policy] offer of policy/practices help
- Date: Sat, 14 May 2005 09:36:55 -0700
- List-archive: <http://lists.cacert.org/cgi-bin/mailman/private/cacert-policy>
- List-id: Policy-Discussion <cacert-policy.lists.cacert.org>
ill do some modern analysis of http://www.access.gpo.gov/bis/ear/pdf/ccl5-pt2.pdf in due course.
The secret clauses are now listed - though marked RESERVED.
The official CA designation USED to mean you were authorized to issue specially-marked certs to non US banks, and thus come under a different aspects of the EAR that the 1999 commodity software rule changes. What it means today is for further investigation.
Please point to legal working in the settlement agreement between US and Microsoft Corp. Point to any available background negotiation information. The link between Microsoft and US government is deep and difficult, and involves Defense Messaging System procurement policy issues, foreign intelligence gathering and deception issues, the mandatory TPM support in Longhorn matter, in addition to handling simple crypto strength issues - controls whose effectiveness levels were debated widely in the mid 90s.
From: "Peter Williams"
<home_pw AT msn.com>
Reply-To: Policy-Discussion
<cacert-policy AT lists.cacert.org>
To:
<cacert-policy AT lists.cacert.org>
Subject: [CAcert-Policy] offer of policy/practices help
Date: Sat, 14 May 2005 09:07:48 -0700
I'm willing to help write cacert.org disclosure statements and
policy/practice documents - with a view to obtaining a webtrust-like
certification for the CA.
I can offer (a) experience of having performed detailed review the drafts of
certification policy in the VeriSign CPS, (b) have analysed the VeriSign CPS
author's mental model concerning legal models, (c) experience of how one can
recover from a failed SAS70 audit, (d) experience of having written
disclosure and policy documents for a (non-VeriSign) CA that obtained
webtrust certification, so it could resell its root keys (for millions of
dollars, in one case), (d) having continuing access to the underlying US
government best practices and comsec documents from which I filched much of
the material used (legally) in (d), (e) being wholly unaffiliated with the
VeriSign that I helped establish in 1994.
Peter.
_______________________________________________
Have you subscribed to our RSS News Feed yet?
CAcert-Policy mailing list
CAcert-Policy AT lists.cacert.org
http://lists.cacert.org/cgi-bin/mailman/listinfo/cacert-policy
- [CAcert-Policy] offer of policy/practices help, Peter Williams, 05/14/2005
- Re: [CAcert-Policy] offer of policy/practices help, Duane, 05/14/2005
- RE: [CAcert-Policy] offer of policy/practices help, Peter Williams, 05/14/2005
- RE: [CAcert-Policy] offer of policy/practices help, Peter Williams, 05/14/2005
- RE: [CAcert-Policy] offer of policy/practices help, Peter Williams, 05/14/2005
- Re: [CAcert-Policy] offer of policy/practices help, Philipp Gühring, 05/22/2005
- RE: [CAcert-Policy] offer of policy/practices help, Peter Williams, 05/22/2005
- Re: [CAcert-Policy] offer of policy/practices help, Duane, 05/22/2005
- RE: [CAcert-Policy] offer of policy/practices help, Peter Williams, 05/22/2005
- RE: [CAcert-Policy] offer of policy/practices help, Peter Williams, 05/14/2005
Archive powered by MHonArc 2.6.16.