Subject: Policy-Discussion
List archive
- From: Ian G <iang AT systemics.com>
- To: Policy-Discussion <cacert-policy AT lists.cacert.org>
- Subject: Re: [CAcert-Policy] Why is identity needed to authenticate domains?
- Date: Fri, 11 May 2007 00:35:25 +0200
- List-archive: <http://lists.cacert.org/cgi-bin/mailman/private/cacert-policy>
- List-id: Policy-Discussion <cacert-policy.lists.cacert.org>
mfolimun AT elitemail.org
wrote:
On Thu, 10 May 2007 08:25:35 -0700, "Peter Williams"
<home_pw AT msn.com>
said:
An auditor would normally accept two risk-based rationales, supporting
the policy of CA management concerning periods.
1. lack of cryptographic strength is mitigated by limiting the exposure
of the key, by limiting the period during which it can be used
2. naturally diminishing strength of the binding of a confirmed name to
the public key over time is mitigated by setting a threshold date after
which the strength must be re-established in order to convey the
appropriate amount of identity assurance. Obviously, either further
professionalize or simplify the language, to suit the audience.
Well 1 doesn't apply (since I intend on requesting at least a 2048bit key), so I will address 2. Ultimately, a signed TLS cert is a
certification of a domain name, not an individual person.
Right, but you are the person who gets it.
For my domain, no individual is listed on the whois information, so there is
no identity to assure.
However, I can conclusively demonstrate, via a number of different
technical mechanisms, that the request for the certificate is actually coming from the entity that owns the domain. Therefore, I
don't understand why I am to be given such an low threshhold of trust.
If you look at Peter's comments above, part 2, you'll see that he is referring to how that single event diminishes in value over time. Currently, CAcert seems to set that event at 6 months for unassurered users, but you can boost it up to 2 years by becoming assured.
Since seeing an ID in my case adds no additional assurance of
domain ownership (it could be anyone's ID: whois displays no one),
No, this is not what CAcert is doing. It is you that CAcert is assuring, and it is the ID that you show us, it is yours. If you are doing it for someone else it doesn't matter because you have stated you have control.
E.g., sometimes I transfer other people's domains into my account so I can issue SSL certs for them. Then, as far as CAcert is concerned, it is mine. But the whois says someone else.
iang
- Re: [CAcert-Policy] Why is identity needed to authenticate domains?, (continued)
- Re: [CAcert-Policy] Why is identity needed to authenticate domains?, Philipp Gühring, 05/13/2007
- Re: [CAcert-Policy] Why is identity needed to authenticate domains?, Ian G, 05/13/2007
- [CAcert-Policy] No Identity info in SSL server cert?, Ian G, 05/13/2007
- Re: [CAcert-Policy] No Identity info in SSL server cert?, Philipp Gühring, 05/13/2007
- Re: [CAcert-Policy] No Identity info in SSL server cert?, Ian G, 05/14/2007
- Re: [CAcert-Policy] No Identity info in SSL server cert?, Philipp Gühring, 05/14/2007
- Re: [CAcert-Policy] No Identity info in SSL server cert?, Jac Kersing, 05/14/2007
- Re: [CAcert-Policy] No Identity info in SSL server cert?, Guillaume ROMAGNY, 05/14/2007
- Re: [CAcert-Policy] No Identity info in SSL server cert?, Philipp Gühring, 05/14/2007
- Re: [CAcert-Policy] No Identity info in SSL server cert?, Guillaume ROMAGNY, 05/14/2007
- Re: [CAcert-Policy] Why is identity needed to authenticate domains?, Philipp Gühring, 05/14/2007
- Re: [CAcert-Policy] Why is identity needed to authenticate domains?, Greg Stark, 05/14/2007
- Re: [CAcert-Policy] Why is identity needed to authenticate domains?, Guillaume ROMAGNY, 05/14/2007
- Re: [CAcert-Policy] Why is identity needed to authenticate domains?, Greg Stark, 05/14/2007
Archive powered by MHonArc 2.6.16.