Skip to Content.
Sympa Menu

cacert-policy - Re: [CAcert-Policy] Why is identity needed to authenticate domains?

Subject: Policy-Discussion

List archive

Re: [CAcert-Policy] Why is identity needed to authenticate domains?


Chronological Thread 
  • From: Peter Williams <home_pw AT msn.com>
  • To: Policy-Discussion <cacert-policy AT lists.cacert.org>
  • Subject: Re: [CAcert-Policy] Why is identity needed to authenticate domains?
  • Date: Thu, 10 May 2007 08:25:35 -0700
  • Importance: Normal
  • List-archive: <http://lists.cacert.org/cgi-bin/mailman/private/cacert-policy>
  • List-id: Policy-Discussion <cacert-policy.lists.cacert.org>
An auditor would normally accept two risk-based rationales, supporting the policy of CA management concerning periods.
 
1. lack of cryptographic strength is mitigated by limiting the exposure of the key, by limiting the period during which it can be used
 
2. naturally diminishing strength of the binding of a confirmed name to the public key over time is mitigated by setting a threshold date after which the strength must be re-established in order to convey the appropriate amount of identity assurance.
 

Obviously, either further professionalize or simplify the language, to suit the audience.


> Date: Thu, 10 May 2007 11:04:14 +0200
> From: iang AT systemics.com
> To: cacert-policy AT lists.cacert.org
> Subject: Re: [CAcert-Policy] Why is identity needed to authenticate domains?
>
> mfolimun AT elitemail.org wrote:
>
> > It would seem the ability to create subdomains, post webpages, and
> > answer root/postmaster's email should conclusively demonstrate domain
> > ownership, especially since the whois information has nothing to do
> > with my real identity anyways. So I don't understand why someone needs
> > to see government issued ID for me to be trusted to have an ssl cert
> > for 2 years as opposed to 6 months, especially given that it would
> > seem I can just keep requesting new certs every 6 months forever
> > without providing any ID.
>
>
> So your actual request is more to do with figuring out why
> anonymous certificates are issued only for 6 months?
>
> Curiously, the CPS does not say. Section 6.3.2 of the draft
> just has a pretty green question asking exactly that
>
> http://www2.futureware.at/svn/sourcerer/CAcert/policy.htm#p6.3
>
> ================
> 6.3.2. Certificate operational periods and key pair usage
> periods
>
> How long is it?
>
> No stipulation.
> ================
>
> Does anyone know why this is? Indeed, why are named certs
> in the class 3 root good for 2 years? Why not 3 years?
>
> (No stipulation means that the CA has decided not to
> standardise this issue in the CPS. This might be a
> reflection on the arbitrariness of 2 years versus 6 months,
> or might not...)
>
>
> iang
> _______________________________________________
> Have you subscribed to our RSS News Feed yet?
>
> CAcert-Policy mailing list
> CAcert-Policy AT lists.cacert.org
> http://lists.cacert.org/cgi-bin/mailman/listinfo/cacert-policy


Download Messenger. Start an i’m conversation. Support a cause. Join Now!

Archive powered by MHonArc 2.6.16.

Top of Page