Skip to Content.
Sympa Menu

cacert-policy - RE: [CAcert-Policy] [FIRSTREVIEW] Configuration Control Specification

Subject: Policy-Discussion

List archive

RE: [CAcert-Policy] [FIRSTREVIEW] Configuration Control Specification


Chronological Thread 
  • From: "Peter Williams" <home_pw AT msn.com>
  • To: cacert-policy AT lists.cacert.org
  • Subject: RE: [CAcert-Policy] [FIRSTREVIEW] Configuration Control Specification
  • Date: Mon, 20 Feb 2006 08:40:56 -0800
  • List-archive: <http://lists.cacert.org/cgi-bin/mailman/private/cacert-policy>
  • List-id: Policy-Discussion <cacert-policy.lists.cacert.org>




From: 
<Lambert.Hofstra AT ins.com>
Reply-To: Policy-Discussion 
<cacert-policy AT lists.cacert.org>
To: 
<cacert-policy AT lists.cacert.org>
Subject: RE: [CAcert-Policy] [FIRSTREVIEW] Configuration Control Specification
Date: Mon, 20 Feb 2006 10:35:48 -0000

> This makes me wonder if it would be possible to have a key generator
> somewhere that would split it into a 2/4 share scheme before ever
> letting it leave the box -- preferably one that would do all the
> encryption necessary to send via S/MIME to each of the employees, as
> well as talking to the SMTP server to do so.
>
> Just musing...
>
> -Kyle H

FIPS 140-2 requires for level 3 and 4 that keys can only be exported in
such a way ("Secret and private keys established using manual methods
shall be entered or output encrypted or with split knowledge
procedures.", see
http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf ;)

Most devices support both n out of m, or n-components mechanisms.

This makes me wonder: what is the security level of the cryptographic
hardware in use at CAcert?

Its hard to imagine the industry accepting an audit attestation that verifies that it is CAcert policy to use less than a FIPS 140-1 level 3 HSM to protect root keys.

Friendly note.


Lambert Hofstra


> _______________________________________________
> Have you subscribed to our RSS News Feed yet?
>
> CAcert-Policy mailing list

CAcert-Policy AT lists.cacert.org
http://lists.cacert.org/cgi-bin/mailman/listinfo/cacert-policy
_______________________________________________
Have you subscribed to our RSS News Feed yet?

CAcert-Policy mailing list
CAcert-Policy AT lists.cacert.org
http://lists.cacert.org/cgi-bin/mailman/listinfo/cacert-policy






Archive powered by MHonArc 2.6.16.

Top of Page