Policy-Discussion

[Ian G <iang AT cacert.org>]

Lambert,

the best way of thinking about this is that the current structure was 
maybe well-intentioned but historically has become a mess.  There is 
little real value in tweaking it or repairing it.

The new structure has the advantage that it is more or less what the 
current industry profile demands.  A single no-issue root which signs 
issuing sub-roots, each for different purposes or roles.

https://wiki.cacert.org/Roots/Structure

There are disadvantages with all ways of doing things .. which makes the 
conversation very messy.

iang



On 13/01/2010 17:54, Lambert Hofstra wrote:
> Hi Daniel, policy group,
>
> Just for my understanding, I know we cannot change this right now, and
> we did not have class-3 when CAcert started)
> Would it be correct to state that when the class-3 root was a separate,
> self-signed root, it would not be a problem?
> Also, wouldn't it be more correct (greenfield?) to have the class-3 root
> as highest root, and have the class-1 root signed by the class-3 root?
> So that you can choose:
>   - rely only on class-1 ==>  load the class-1 root as CA
>   - rely on class-3 (better verified certs) ==>  load the class-3 root,
> and get class-1 (lower reliance) as bonus
> Or would it be better to create a separate class-1 root and class-3 root?
>
> Lambert
>
> Daniel Black wrote, On 13/01/2010 10:02:
> > Two high profile organisationally assured universities represented by Roberto
> > and Dieter are holding off on two very wide scale deployments of CAcert's root
> > certificate that will have substantial benefit for CAcert.
> >
> > Their problem is the support and PR issues related to our current class3
> > certificate that is MD5 signed. Attempts to justify the risks here based on
> > known exploits have not changed their positions.
> >
> > The problem is not that there will be class3 certs in their organisation its
> > that we are issuing class3 with a MD5 trust chain to our root at all. This
> > causes the support and PR complications that they would rather avoid.
> >
> > What I propose to you is CAcert should stop issuing class3 certificates as
> > soon as technical feasible so that CAcert root and server/personal
> > certificates can be deployed to many thousands of servers, staff and students.
> >
> > I am not proposing that existing class3 signed certificates be revoked or the
> > class3 root to be revoked
> >
> > Philipp Guehring asserts class3 usages in limited to a few users
> > https://lists.cacert.org/wws/arc/cacert-sysadm/2009-12/msg00038.html ;.
> >
> > The deployment steps and a few discussions bits are here:
> > https://lists.cacert.org/wws/arc/cacert-sysadm/2010-01/msg00015.html
> >
> > When we are closer to getting an Audit complete the NewRoots can be issued in
> > accordance with our CPS with no problem. This proposed decision to halt future
> > class 3 certificates issuing will gain CAcert substantial benefits.
> >
> > I therefore propose: "CAcert stops issuing Class3 certificates."
> >
> > Who's in favour of this?
> >
> > Who's not and why?

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature