Policy-Discussion

[Daniel Black <daniel AT cacert.org>]

On Friday 15 January 2010 00:13:23 Ian G wrote:
> On 13/01/2010 10:02, Daniel Black wrote:
> > I therefore propose: "CAcert stops issuing Class3 certificates."
> 
> What some may have missed is that in this traffic, Daniel is asking for
> a formal vote by policy group.  This is recorded in the decisions page:
> 
> https://wiki.cacert.org/PolicyDecisions
> 
it was certainly worded like a formal decision.

> > Who's in favour of this?
> >
> > Who's not and why?
> 
> NAYE.
recorded.
> 
> 1.  there are users of this service and there is no "impact" assessment
> to them.

Ok:
impact statement:

There may be organisations like registeredcommons.org relying on us issuing 
class3 certificates to provide certified certificates of identity. For a long 
time our class1 certificates have contained a validated identity in the 
common 
name field. Where the certificate owner has not received the required level 
of 
assurance with respect to identity the text 'CAcert WoT Member' is in the 
common name field.

Unfortunately to due to changes to remove our MD5 based class3 certificate 
you, the class3 relying party, will be required to make some changes to your 
software to accept validated identity based on any CAcert issued certificate 
without the text 'CAcert WoT Member'. This change will be compatible for when 
we issue our new roots that are audit friendly.

In fairness to our current class3 relying parties we will be providing notice 
(blog) before implementation.

> 2.  the proposal is based on confused information not analysis.  E.g.,
> have a look at these three links, and tell us whether you can conclude
> that stopping class 3 is what is wanted, or not?
> 
> https://lists.cacert.org/wws/arc/cacert-sysadm/2010-01/msg00040.html
> https://lists.cacert.org/wws/arc/cacert-sysadm/2010-01/msg00036.html
> http://wiki.cacert.org/Brain/Study/Bug665
A conclusion is that the current class 3 or MD5 based certificate root isn't 
wanted. There is some indication that a new class3 based on SHA1 is desired.

> 3.  this vote is over-reaching:  there are detailed SP and CPS issues to
> take into account.  Policy group's job is to write the SP and CPS
> policies that affect this, and then hand it over to the teams to
> implement, via board.  If this vote goes through, it is an empty
> decision because the SP / CPS still need to be done.  The teams follow
> the CPS / SP.
its a vote of agreement in principle.

> 4.  there is a far better path IMO:  follow the New Roots path properly
> and be done with it (or just implement the 2008 roots for the next year
> if we need a fast solution, it's probably less work anyway).
Is the risk of an auditor saying the New Roots are rubbish and we need to a) 
issue new ones mitigated, b) revoke all certs issued off them?

Without this risk mitigated may be issuing new roots twice with all the bad 
PR, confusion, and root distribution issues that go along with it.

> 5.  Any path requires resources.  These resources need to be built up
> anyway, and are in the process of being built up.  

The main thing we need is leadership. I haven't seen the board as a whole 
particularly enthused about solving this issue.

I'm not saying that other software resources aren't needed, they just need a 
clear leadership to say this is the plan and we're going to stick to it.

-- 
Daniel Black