Skip to Content.
Sympa Menu

cacert-policy - Re: [CAcert-Policy] [FIRSTREVIEW] Configuration Control Specification

Subject: Policy-Discussion

List archive

Re: [CAcert-Policy] [FIRSTREVIEW] Configuration Control Specification


Chronological Thread 
  • From: "Kyle Hamilton" <aerowolf AT gmail.com>
  • To: Policy-Discussion <cacert-policy AT lists.cacert.org>
  • Subject: Re: [CAcert-Policy] [FIRSTREVIEW] Configuration Control Specification
  • Date: Mon, 20 Feb 2006 21:15:49 -0700
  • Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=Mgpbz0ktQ9VaFs4Y0ZHTyy3KTGsUwLdy6Knz0IlEi2jqDUUSiOaOp68HI7yzVXh/3AgOteS8oXkQopRWDeeykCVSB2wJqE8+dGSeA3qL0eTCav2L6Z+DN6e+4u5nR1hwaIYuec8rIkN4IRMF7Dl4lKG2DbSgeUa1niHfW6nhHac=
  • List-archive: <http://lists.cacert.org/cgi-bin/mailman/private/cacert-policy>
  • List-id: Policy-Discussion <cacert-policy.lists.cacert.org>

On 2/20/06, Duane 
<duane AT cacert.org>
 wrote:
> Peter Williams wrote:
>
> > Its hard to imagine the industry accepting an audit attestation that
> > verifies that it is CAcert policy to use less than a FIPS 140-1 level 3
> > HSM to protect root keys.
>
> For what it's worth we have been donated an IBM HSM, we just haven't
> worked out the most effective way to deploy it to make everyone happy.

Which model?  Does OpenSSL have an ENGINE for it?

> For example, if we issue a completely new root, we need to get 100,000's
>   of computers, if not 1,000,000's to load the new root cert.

...but if the new root is accepted by browser manufacturers, that'll
happen automatically.  (If it's accepted by Microsoft, it becomes part
of the root certificate update.)

> So at a guess we have a single option that won't tick everyone off, and
> that is to issue a new root cert for the HSM chained from the current,
> then get everyone to use the new root cert only, since computers have a
> lifetime for early adopters of approx 1.5->3 yrs, everything would
> eventually work itself out over time.

Security may be inconvenient.  The question is, what are these certs
going to be used for?  Financial transactions?  Site authentication? 
Anything else?

-Kyle H




Archive powered by MHonArc 2.6.16.

Top of Page