Policy-Discussion

[Daniel Black <daniel AT cacert.org>]

Two high profile organisationally assured universities represented by Roberto 
and Dieter are holding off on two very wide scale deployments of CAcert's 
root 
certificate that will have substantial benefit for CAcert.

Their problem is the support and PR issues related to our current class3 
certificate that is MD5 signed. Attempts to justify the risks here based on 
known exploits have not changed their positions.

The problem is not that there will be class3 certs in their organisation its 
that we are issuing class3 with a MD5 trust chain to our root at all. This 
causes the support and PR complications that they would rather avoid.

What I propose to you is CAcert should stop issuing class3 certificates as 
soon as technical feasible so that CAcert root and server/personal 
certificates can be deployed to many thousands of servers, staff and students.

I am not proposing that existing class3 signed certificates be revoked or the 
class3 root to be revoked

Philipp Guehring asserts class3 usages in limited to a few users 
https://lists.cacert.org/wws/arc/cacert-sysadm/2009-12/msg00038.html ;.

The deployment steps and a few discussions bits are here:
https://lists.cacert.org/wws/arc/cacert-sysadm/2010-01/msg00015.html

When we are closer to getting an Audit complete the NewRoots can be issued in 
accordance with our CPS with no problem. This proposed decision to halt 
future 
class 3 certificates issuing will gain CAcert substantial benefits.

I therefore propose: "CAcert stops issuing Class3 certificates."

Who's in favour of this?

Who's not and why?

-- 
Daniel Black (who's in favour)