Skip to Content.
Sympa Menu

cacert-policy - Re: [CAcert-Policy] [FIRSTREVIEW] Configuration Control Specification

Subject: Policy-Discussion

List archive

Re: [CAcert-Policy] [FIRSTREVIEW] Configuration Control Specification


Chronological Thread 
  • From: Duane <duane AT cacert.org>
  • To: Policy-Discussion <cacert-policy AT lists.cacert.org>
  • Subject: Re: [CAcert-Policy] [FIRSTREVIEW] Configuration Control Specification
  • Date: Tue, 21 Feb 2006 06:01:44 +1100
  • List-archive: <http://lists.cacert.org/cgi-bin/mailman/private/cacert-policy>
  • List-id: Policy-Discussion <cacert-policy.lists.cacert.org>

Peter Williams wrote:

Its hard to imagine the industry accepting an audit attestation that verifies that it is CAcert policy to use less than a FIPS 140-1 level 3 HSM to protect root keys.

For what it's worth we have been donated an IBM HSM, we just haven't worked out the most effective way to deploy it to make everyone happy.

For example, if we issue a completely new root, we need to get 100,000's of computers, if not 1,000,000's to load the new root cert.

So at a guess we have a single option that won't tick everyone off, and that is to issue a new root cert for the HSM chained from the current, then get everyone to use the new root cert only, since computers have a lifetime for early adopters of approx 1.5->3 yrs, everything would eventually work itself out over time.

--

Best regards,
 Duane

http://www.cacert.org - Free Security Certificates
http://www.nodedb.com - Think globally, network locally
http://www.sydneywireless.com - Telecommunications Freedom
http://e164.org - Using Enum.164 to interconnect asterisk servers

"In the long run the pessimist may be proved right,
    but the optimist has a better time on the trip."




Archive powered by MHonArc 2.6.16.

Top of Page