Policy-Discussion

[Daniel Black <daniel AT cacert.org>]

On Thursday 14 January 2010 00:30:55 Philipp Guehring wrote:
> Hi,
> 
> > Who's not and why?
> 
> I am against it, since we still have users that require Class3
> certificates for their applications.
> One such application I know of is http://registeredcommons.org/
> There might be others as well that I have not heard about yet.

it seems as though they could achieve the same thing with class1 certificates.

        SSLVerifyDepth 3         
        SSLCACertificatePath /usr/share/ca-certificates/cacert.org/
        SSLCADNRequestPath /usr/share/ca-certificates/cacert.org/  
        SSLOptions +StdEnvVars +ExportCertData  
        SSLRequire %{SSL_CLIENT_S_DN_CN} != 'CAcert WoT Member'

also possible in apache1.3's modssl

http://www.modssl.org/docs/2.8/ssl_reference.html#ToC23

ref:
http://wiki.cacert.org/Technology/KnowledgeBase/Server/ApacheServerClientCertificateAuthentication
> 
> Therefore please consider my proposal to discourage our users and
> migrate our users to Class1 where possible, but continue issueing Class3
> for those that need it.

issue a blog notice and some solutions around what can be done to acheive the 
same results.

we still may need to move of class3 however giving those with specific class3 
applications notice is good.

-- 
Daniel Black
Infrastructure Administrator
CAcert