Subject: Policy-Discussion
List archive
- From: "Kyle Hamilton" <aerowolf AT gmail.com>
- To: Policy-Discussion <cacert-policy AT lists.cacert.org>
- Subject: Re: [CAcert-Policy] [FIRSTREVIEW] Configuration Control Specification
- Date: Mon, 20 Feb 2006 03:22:04 -0700
- Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=gK9UglDFRVFBRAPq6mwFzCGWWrI7IvN5RQJRm1Whol2vCNQBxUPbES7VvA+X3lMMtrg5HyGbPwtSliLHDV3iqPq1PFpovdGGWKA5fRnzm0nMz3+HjqYUv2lq8SvbBEUxdy+5s0wGQKLB86u4oVkHKxEjJGY4syVGZEGIp56vbKc=
- List-archive: <http://lists.cacert.org/cgi-bin/mailman/private/cacert-policy>
- List-id: Policy-Discussion <cacert-policy.lists.cacert.org>
This makes me wonder if it would be possible to have a key generator
somewhere that would split it into a 2/4 share scheme before ever
letting it leave the box -- preferably one that would do all the
encryption necessary to send via S/MIME to each of the employees, as
well as talking to the SMTP server to do so.
Just musing...
-Kyle H
On 2/20/06, Philipp Gühring
<pg AT futureware.at>
wrote:
> Hi Lambert,
>
> Thanks for your feedback!
>
> > I just read this email, and have a question, so I did not reply to the
> > mailinglist.
>
> Ok, I hope you don´t mind that I send the reply to the mailinglist.
>
> > Am I correct, when I read your email as: "please comment on what I propose
> > as the 'CONFIGURATION CONTROL SPECIFICATIONS' for changes to the CACert
> > core system"?
>
> Yes.
>
> > If so, my first responses are:
> > 1) full responsibility for both approval and implementation of changes
> > (HW/SW) are combined in one person ==> not really "industry best
> > practice",
> > I would suggest have this split into two persons
>
> Yes. You are fully right, it would be best practice to have that split into
> two persons. The problem is just that we don´t have two persons available
> locally.
>
> > 2) hardware changes are
> > not document ==> not acceptable, you will need a approval process and full
> > logging.
>
> I am planning to change that policy as soon as we have enough capacities to
> fulfill it.
>
> > 3) root certificates are the responsibility of the administrator
> > ==> not acceptable, you'd need a certificate change ceremony for all
> > changes, with at least two separate key administrators who need to be
> > present, and key components (for backup) under control of at least two
> > other key custodians.
>
> Yes. All three changes demand more ressources than we currently have.
> Keep in mind that CAcert is geographically spread around the whole world.
> Our trusted core team are currently 4 people, one in Australia, one in
> Brazil,
> one in France and one in Austria. That´s quite contrary to a normal company,
> having all people in the same place.
>
> > You'd need more detail, and more procedures.
>
> Can you go into detail?
>
> > Is this the type of feedback you are looking for?
>
> Yes. Exactly.
> Especially that you only mentioned the points, where I expected the
> feedback,
> and that you didn´t had any specific problems with the rest.
>
> Best regards,
> Philipp Gühring
>
> _______________________________________________
> Have you subscribed to our RSS News Feed yet?
>
> CAcert-Policy mailing list
> CAcert-Policy AT lists.cacert.org
> http://lists.cacert.org/cgi-bin/mailman/listinfo/cacert-policy
>
- [CAcert-Policy] [FIRSTREVIEW] Configuration Control Specification, Philipp Gühring, 02/18/2006
- <Possible follow-up(s)>
- Re: [CAcert-Policy] [FIRSTREVIEW] Configuration Control Specification, Philipp Gühring, 02/20/2006
- Re: [CAcert-Policy] [FIRSTREVIEW] Configuration Control Specification, Kyle Hamilton, 02/20/2006
- Re: [CAcert-Policy] [FIRSTREVIEW] Configuration Control Specification, Philipp Gühring, 02/20/2006
- Re: [CAcert-Policy] [FIRSTREVIEW] Configuration Control Specification, Kyle Hamilton, 02/20/2006
- Re: [CAcert-Policy] [FIRSTREVIEW] Configuration Control Specification, Ian G, 02/20/2006
- Re: [CAcert-Policy] [FIRSTREVIEW] Configuration Control Specification, Kyle Hamilton, 02/20/2006
- Re: [CAcert-Policy] [FIRSTREVIEW] Configuration Control Specification, Philipp Gühring, 02/20/2006
- Re: [CAcert-Policy] [FIRSTREVIEW] Configuration Control Specification, Kyle Hamilton, 02/20/2006
- RE: [CAcert-Policy] [FIRSTREVIEW] Configuration Control Specification, Lambert.Hofstra, 02/20/2006
- Re: [CAcert-Policy] [FIRSTREVIEW] Configuration Control Specification, Kyle Hamilton, 02/20/2006
- RE: [CAcert-Policy] [FIRSTREVIEW] Configuration Control Specification, Peter Williams, 02/20/2006
- Re: [CAcert-Policy] [FIRSTREVIEW] Configuration Control Specification, Duane, 02/20/2006
- Re: [CAcert-Policy] [FIRSTREVIEW] Configuration Control Specification, Kyle Hamilton, 02/21/2006
- Re: [CAcert-Policy] [FIRSTREVIEW] Configuration Control Specification, Duane, 02/21/2006
- Re: [CAcert-Policy] [FIRSTREVIEW] Configuration Control Specification, Kyle Hamilton, 02/21/2006
- Re: [CAcert-Policy] [FIRSTREVIEW] Configuration Control Specification, Duane, 02/20/2006
Archive powered by MHonArc 2.6.16.