Policy-Discussion

[Alaric Dailey <alaricd AT pengdows.com>]

Philipp Gühring wrote:

> Hi,
>
>  
>
> > Just like software development, the sooner the problem is discovered and
> > fixed correctly, the less stuff has to be changed in the long run.
> >    
>
> Sure. But I don´t see many things that have to be fixed, most of the issues 
> are either not our own problem, or necessary enhancements.
>
>  
>
> > If we suppose for a second that the document I just read covering
> > "Personal Identity Verification for Federal Employees and Contractors"
> > for the US government was the stricted document for the identification
> > of people in world.  Then one of the many things we would need to change
> > is the size of the root certificate for CACert, current its at 4096, and
> > that document specifies a 2048 bit cert. IF we get our current
> > certificate in the browsers and then have to issue  a different
> > certificate to follow such specs, then we either start all over, or
> > create a new problem with having to use a subordinate CA.
> >    
>
> That falls under the category of others that have to fix it. I don´t see a 
> good reason that we should lower our security because of their specification.
> We already had the same Problem with Java until Java 1.4, that it only could 
> work with weaker keys. It was fixed in Java 1.5 now.
> So please go an tell them to fix their specification.
> Or give us good reasons, why it makes sense for us to have lower security.
>
>  
This was only an example, thus I prefaced it with "If we suppose for a 
second". 


> > Solve the issues before they become a problems, and the sooner, the
> > better.  Fix them correctly, rather than trying to band-aid them.
> >    
>
> Yes, all together have to fix the issues, not band-aid them by using less 
> secure systems.
>
>  
>
> > I am hoping that we some of the people I have seen posting "I want to
> > help with legal issues" will volunteer, as a matter of fact this
> > original poster that I was responding to looked (to me anyway) to be
> > offering such help.
> >    
>
> Perhaps I have been blind, could you please show me the people again who said 
> that they want to help with legal issues?
>
>  
I will peruse the mail list archive to find the emails I am remembering, 
and follow up, due to time constraints it may be a day or 2, if I do not 
find them I will follow up with a message stating that I made a mistake.


> > > > For example, I happen to know that our "Certificate Policy
> > > > Statement" is in dire need of legal review ( I am not even sure if its
> > > > posted on the site).
> > > >        
> > > http://www2.futureware.at/svn/sourcerer/CAcert/policy.htm
> > >      
> > Thats not on the CACert.org site, and I havent found a link to that
> > anywhere on the cacert.org site (not saying that there isn't such a
> > link, just that I haven't found it).
> >    
>
> The policy isn´t officially approved by the board yet.
> (We are currently working on the wanted changes from the auditor, so I think 
> the board waits for that work to be finished, so that the Policy is auditor 
> compliant, and we do not have to change it again then.)
>
> Regards,
> Philipp Gühring
>
> _______________________________________________
> Have you subscribed to our RSS News Feed yet?
>
> CAcert-Policy mailing list
> CAcert-Policy AT lists.cacert.org
> http://lists.cacert.org/cgi-bin/mailman/listinfo/cacert-policy
>
>

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature