Policy-Discussion

[Jac Kersing <j.kersing AT the-box.com>]

On Thu, 13 Dec 2007, Iang wrote:

> > Therefore I propose to stop issuing code signing certificates till we
> > have a policy about when and how they are issued.

Do you mean no more code signing certificates for the CAcert users 
currently approved for codesigning? Or no more CAcert users being approved 
for codesigning?

> OK!  What votes are there on this interesting question.?

If not accepting new requests for the option, I'm marginally ok as I can 
see the need for a policy.

If not processing certificate requests for codesigning certs for those 
granted codesigning options, it's a NAY.
As there has not been a policy for this yet and CAcert granted developers 
the option to get codesigning certs I think it is not done to suddenly 
revoke this option for a unknown timeframe. I (having the option to 
request codesigning certs myself) would certainly not appreciate this.

This raises the question if people using CAcert are bound by new 
policies if those become active after they've been granted privileges. 
Example, user Joe X created an account 1 year ago. He got sufficient trust 
points to get a server certificate valid for 2 years just before the 
CAcert user agreement became active. Now he has no need to visit the 
website for at least 1 year...
Is the user agreement applicable for Joe X? If so, how would he know about 
it?

Regards,

Jac


---
 Jac Kersing            Technical Consultant   The-Box Development
 
j.kersing AT the-box.com
     CISSP   RHCE        http://www.the-box.com