Subject: Policy-Discussion
List archive
- From: Tomáš Trnka <TomTrnka AT seznam.cz>
- To: cacert-policy AT lists.cacert.org
- Subject: Re: proposal to stop issuing class3 certificates
- Date: Wed, 13 Jan 2010 10:59:50 +0100
Dne St 13. ledna 2010 Daniel Black napsal(a):
> Two high profile organisationally assured universities represented by
> Roberto and Dieter are holding off on two very wide scale deployments of
> CAcert's root certificate that will have substantial benefit for CAcert.
>
> Their problem is the support and PR issues related to our current class3
> certificate that is MD5 signed. Attempts to justify the risks here based on
> known exploits have not changed their positions.
>
> The problem is not that there will be class3 certs in their organisation
> its that we are issuing class3 with a MD5 trust chain to our root at all.
> This causes the support and PR complications that they would rather avoid.
>
> What I propose to you is CAcert should stop issuing class3 certificates as
> soon as technical feasible so that CAcert root and server/personal
> certificates can be deployed to many thousands of servers, staff and
> students.
>
> I am not proposing that existing class3 signed certificates be revoked or
> the class3 root to be revoked
>
> Philipp Guehring asserts class3 usages in limited to a few users
> https://lists.cacert.org/wws/arc/cacert-sysadm/2009-12/msg00038.html ;.
>
> The deployment steps and a few discussions bits are here:
> https://lists.cacert.org/wws/arc/cacert-sysadm/2010-01/msg00015.html
>
> When we are closer to getting an Audit complete the NewRoots can be issued
> in accordance with our CPS with no problem. This proposed decision to halt
> future class 3 certificates issuing will gain CAcert substantial benefits.
>
> I therefore propose: "CAcert stops issuing Class3 certificates."
>
> Who's in favour of this?
>
> Who's not and why?
>
Hello,
this seems to be a reasonable tradeoff for CAcert. I don't really want to
issue
a new root just because of some universities, but I consider dropping class3
as a far easier alternative. Therefore, I'd support this proposal, if and
only
if both universities make a clear statement that this is a sufficient for
them
to deploy CAcert certs.
2T
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
- proposal to stop issuing class3 certificates, Daniel Black, 01/13/2010
- Re: proposal to stop issuing class3 certificates, Tomáš Trnka, 01/13/2010
- Re: proposal to stop issuing class3 certificates, Philipp Guehring, 01/13/2010
- Re: proposal to stop issuing class3 certificates, Andreas Bürki, 01/13/2010
- Re: proposal to stop issuing class3 certificates, Philipp Guehring, 01/13/2010
- Re: proposal to stop issuing class3 certificates, Brian McCullough, 01/13/2010
- Re: proposal to stop issuing class3 certificates, Philipp Guehring, 01/13/2010
- Re: proposal to stop issuing class3 certificates, Faramir, 01/13/2010
- Re: proposal to stop issuing class3 certificates, Philipp Guehring, 01/14/2010
- Re: proposal to stop issuing class3 certificates, Daniel Black, 01/14/2010
- Re: proposal to stop issuing class3 certificates, Alexander Prinsier, 01/14/2010
- current class3 usage of registeredcommons and issue mixup was: Re: proposal to stop issuing class3 certificates, Daniel Black, 01/14/2010
- Re: current class3 usage of registeredcommons and issue mixup was: Re: proposal to stop issuing class3 certificates, Alexander Prinsier, 01/14/2010
- current class3 usage of registeredcommons and issue mixup was: Re: proposal to stop issuing class3 certificates, Daniel Black, 01/14/2010
- Re: proposal to stop issuing class3 certificates, Alexander Prinsier, 01/14/2010
- Re: proposal to stop issuing class3 certificates, Andreas Bürki, 01/13/2010
Archive powered by MHonArc 2.6.16.