Policy-Discussion

[Ian G <iang AT systemics.com>]

Johan van Selst wrote:


> If we need
> to talk about algorithms in a policy (do we?),


One of the audit criteria, DRC_A.2.d, says:

For each class of certificate, the CA provides technical 
details of certificate generation:

   1. size
   2. algorithms
   3. allowed lifetime
   4. method of generation
   5. purpose indicators (e.g., site, mail, file signing)
   6. signing (by root or intermediate certificate)
   7. representation of domains
   8. ensuring uniqueness

The content seems to be located currently in the CPS, around 
4.3.1:

http://www2.futureware.at/svn/sourcerer/CAcert/policy.htm#p4.3

(Whether that's a yes or a no or an ok, I'll leave to you :)

> then why not just copy
> from, or even better simply refer to  the NIST standards on what are
> considered "good" algorithms and keysizes.


Well, it is a little more than that.  The CA has to decide 
what profile it supports, then adjust all the code and doco 
to suit.

That could be quite a bit of work for CAcert's developers. 
Just copying from the NSA is only the first part, albeit an 
easy part as they have probably thought it out well, and 
their B List is likely solid for a while.

iang