Subject: Policy-Discussion
List archive
- From: Lambert Hofstra <lamberthofstra AT gmail.com>
- To: cacert-policy AT lists.cacert.org
- Subject: Re: proposal to stop issuing class3 certificates
- Date: Wed, 13 Jan 2010 17:54:33 +0100
- Authentication-results: lists.cacert.org; dkim=pass (1024-bit key) header.i= AT gmail.com; dkim-asp=none
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:x-enigmail-version:content-type :content-transfer-encoding; b=EmZlEs3R7AiawEDhgsVjEtn0TkA+mXuC1IpoTtb6D9Bh2+7eawnKnaaACCm7GM9krV Fs/jd0gqd9QkTePAyXg3DU5CP/mXTLdtfhhqiOeyQR1VR/tpzN85oHEPamjbyzFmef9l H8if+w3uMp1106lIJyYhn1a/f6EqE9TF2t/bM=
Hi Daniel, policy group,
Just for my understanding, I know we cannot change this right now, and
we did not have class-3 when CAcert started)
Would it be correct to state that when the class-3 root was a separate,
self-signed root, it would not be a problem?
Also, wouldn't it be more correct (greenfield?) to have the class-3 root
as highest root, and have the class-1 root signed by the class-3 root?
So that you can choose:
- rely only on class-1 ==> load the class-1 root as CA
- rely on class-3 (better verified certs) ==> load the class-3 root,
and get class-1 (lower reliance) as bonus
Or would it be better to create a separate class-1 root and class-3 root?
Lambert
Daniel Black wrote, On 13/01/2010 10:02:
> Two high profile organisationally assured universities represented by
> Roberto
> and Dieter are holding off on two very wide scale deployments of CAcert's
> root
> certificate that will have substantial benefit for CAcert.
>
> Their problem is the support and PR issues related to our current class3
> certificate that is MD5 signed. Attempts to justify the risks here based on
> known exploits have not changed their positions.
>
> The problem is not that there will be class3 certs in their organisation
> its
> that we are issuing class3 with a MD5 trust chain to our root at all. This
> causes the support and PR complications that they would rather avoid.
>
> What I propose to you is CAcert should stop issuing class3 certificates as
> soon as technical feasible so that CAcert root and server/personal
> certificates can be deployed to many thousands of servers, staff and
> students.
>
> I am not proposing that existing class3 signed certificates be revoked or
> the
> class3 root to be revoked
>
> Philipp Guehring asserts class3 usages in limited to a few users
> https://lists.cacert.org/wws/arc/cacert-sysadm/2009-12/msg00038.html ;.
>
> The deployment steps and a few discussions bits are here:
> https://lists.cacert.org/wws/arc/cacert-sysadm/2010-01/msg00015.html
>
> When we are closer to getting an Audit complete the NewRoots can be issued
> in
> accordance with our CPS with no problem. This proposed decision to halt
> future
> class 3 certificates issuing will gain CAcert substantial benefits.
>
> I therefore propose: "CAcert stops issuing Class3 certificates."
>
> Who's in favour of this?
>
> Who's not and why?
>
>
- Re: proposal to stop issuing class3 certificates, (continued)
- Re: proposal to stop issuing class3 certificates, Philipp Guehring, 01/13/2010
- Re: proposal to stop issuing class3 certificates, Andreas Bürki, 01/13/2010
- Re: proposal to stop issuing class3 certificates, Philipp Guehring, 01/13/2010
- Re: proposal to stop issuing class3 certificates, Brian McCullough, 01/13/2010
- Re: proposal to stop issuing class3 certificates, Philipp Guehring, 01/13/2010
- Re: proposal to stop issuing class3 certificates, Faramir, 01/13/2010
- Re: proposal to stop issuing class3 certificates, Philipp Guehring, 01/14/2010
- Re: proposal to stop issuing class3 certificates, Daniel Black, 01/14/2010
- Re: proposal to stop issuing class3 certificates, Alexander Prinsier, 01/14/2010
- current class3 usage of registeredcommons and issue mixup was: Re: proposal to stop issuing class3 certificates, Daniel Black, 01/14/2010
- Re: current class3 usage of registeredcommons and issue mixup was: Re: proposal to stop issuing class3 certificates, Alexander Prinsier, 01/14/2010
- current class3 usage of registeredcommons and issue mixup was: Re: proposal to stop issuing class3 certificates, Daniel Black, 01/14/2010
- Re: proposal to stop issuing class3 certificates, Alexander Prinsier, 01/14/2010
- Re: proposal to stop issuing class3 certificates, Andreas Bürki, 01/13/2010
- Re: proposal to stop issuing class3 certificates, Lambert Hofstra, 01/13/2010
- Re: proposal to stop issuing class3 certificates, Philipp Guehring, 01/13/2010
- Re: proposal to stop issuing class3 certificates, Alexander Prinsier, 01/13/2010
- Re: proposal to stop issuing class3 certificates, Ian G, 01/13/2010
- Re: proposal to stop issuing class3 certificates, Philipp Guehring, 01/13/2010
- Re: proposal to stop issuing class3 certificates, Ian G, 01/14/2010
- why this is a policy vote. impact for current class3 users. why not newroots. was Re: proposal to stop issuing class3 certificates, Daniel Black, 01/15/2010
- Re: why this is a policy vote. impact for current class3 users. why not newroots. was Re: proposal to stop issuing class3 certificates, Ian G, 01/15/2010
- Re: why this is a policy vote. impact for current class3 users. why not newroots. was Re: proposal to stop issuing class3 certificates, Faramir, 01/15/2010
- why this is a policy vote. impact for current class3 users. why not newroots. was Re: proposal to stop issuing class3 certificates, Daniel Black, 01/15/2010
- Re: proposal to stop issuing class3 certificates, Faramir, 01/15/2010
- Re: proposal to stop issuing class3 certificates, Bernhard Fröhlich, 01/15/2010
- Re: proposal to stop issuing class3 certificates, Mario Lipinski, 01/17/2010
- Re: proposal to stop issuing class3 certificates, Philipp Guehring, 01/13/2010
Archive powered by MHonArc 2.6.16.