Policy-Discussion

[mfolimun AT elitemail.org]

On Thu, 10 May 2007 08:25:35 -0700, "Peter Williams" 
<home_pw AT msn.com>
said:
> An auditor would normally accept two risk-based rationales, supporting
> the policy of CA management concerning periods.
>  
> 1. lack of cryptographic strength is mitigated by limiting the exposure
> of the key, by limiting the period during which it can be used
>  
> 2. naturally diminishing strength of the binding of a confirmed name to
> the public key over time is mitigated by setting a threshold date after
> which the strength must be re-established in order to convey the
> appropriate amount of identity assurance. Obviously, either further
> professionalize or simplify the language, to suit the audience.

Well 1 doesn't apply (since I intend on requesting at least a 2048bit 
key), so I will address 2. Ultimately, a signed TLS cert is a
certification of a domain name, not an individual person. For my 
domain, no individual is listed on the whois information, so there is
no identity to assure.

However, I can conclusively demonstrate, via a number of different
technical mechanisms, that the request for the certificate is 
actually coming from the entity that owns the domain. Therefore, I
don't understand why I am to be given such an low threshhold of trust.
A reasonable level, in my opinion, would be the lesser of 1 year
and domain expiration date. 6 months is too rapid to be practical.

The ability to create subdomains, answer postmaster's mail, and post
requested web content demonstrates 3 independent mechanisms for 
verifying domain ownership. Reverse DNS represents yet a fourth.
Since seeing an ID in my case adds no additional assurance of
domain ownership (it could be anyone's ID: whois displays no one),
I really don't see any reason why a full length cert shouldn't be 
granted using these mechanisms.
-- 
  
  
mfolimun AT elitemail.org

-- 
http://www.fastmail.fm - Accessible with your email software
                          or over the web