Skip to Content.
Sympa Menu

cacert-policy - Re: [CAcert-Policy] Propose Study Group for legal issues

Subject: Policy-Discussion

List archive

Re: [CAcert-Policy] Propose Study Group for legal issues

Chronological Thread 
  • From: Alaric Dailey <alaricd AT>
  • To: Policy-Discussion <cacert-policy AT>
  • Subject: Re: [CAcert-Policy] Propose Study Group for legal issues
  • Date: Mon, 23 May 2005 11:30:40 -0500
  • List-archive: <>
  • List-id: Policy-Discussion <>

Philipp Gühring wrote:


Just like software development, the sooner the problem is discovered and
fixed correctly, the less stuff has to be changed in the long run.

Sure. But I don´t see many things that have to be fixed, most of the issues are either not our own problem, or necessary enhancements.

If we suppose for a second that the document I just read covering
"Personal Identity Verification for Federal Employees and Contractors"
for the US government was the stricted document for the identification
of people in world.  Then one of the many things we would need to change
is the size of the root certificate for CACert, current its at 4096, and
that document specifies a 2048 bit cert. IF we get our current
certificate in the browsers and then have to issue  a different
certificate to follow such specs, then we either start all over, or
create a new problem with having to use a subordinate CA.

That falls under the category of others that have to fix it. I don´t see a good reason that we should lower our security because of their specification.
We already had the same Problem with Java until Java 1.4, that it only could work with weaker keys. It was fixed in Java 1.5 now.
So please go an tell them to fix their specification.
Or give us good reasons, why it makes sense for us to have lower security.

This was only an example, thus I prefaced it with "If we suppose for a second".

Solve the issues before they become a problems, and the sooner, the
better.  Fix them correctly, rather than trying to band-aid them.

Yes, all together have to fix the issues, not band-aid them by using less secure systems.

I am hoping that we some of the people I have seen posting "I want to
help with legal issues" will volunteer, as a matter of fact this
original poster that I was responding to looked (to me anyway) to be
offering such help.

Perhaps I have been blind, could you please show me the people again who said that they want to help with legal issues?

I will peruse the mail list archive to find the emails I am remembering, and follow up, due to time constraints it may be a day or 2, if I do not find them I will follow up with a message stating that I made a mistake.

For example, I happen to know that our "Certificate Policy
Statement" is in dire need of legal review ( I am not even sure if its
posted on the site).

Thats not on the site, and I havent found a link to that
anywhere on the site (not saying that there isn't such a
link, just that I haven't found it).

The policy isn´t officially approved by the board yet.
(We are currently working on the wanted changes from the auditor, so I think the board waits for that work to be finished, so that the Policy is auditor compliant, and we do not have to change it again then.)

Philipp Gühring

Have you subscribed to our RSS News Feed yet?

CAcert-Policy mailing list
CAcert-Policy AT

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Archive powered by MHonArc 2.6.16.

Top of Page