Policy-Discussion

[Faramir <faramir.cl AT gmail.com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Daniel Black escribió:
> On Friday 15 January 2010 00:13:23 Ian G wrote:
...
>> 1.  there are users of this service and there is no "impact" assessment
>> to them.
> 
> Ok:
> impact statement:
> 
> There may be organisations like registeredcommons.org relying on us issuing 
> class3 certificates to provide certified certificates of identity. For a 
> long 
...
> Unfortunately to due to changes to remove our MD5 based class3 certificate 
> you, the class3 relying party, will be required to make some changes to 
> your 
> software to accept validated identity based on any CAcert issued 
> certificate 
> without the text 'CAcert WoT Member'. This change will be compatible for 
> when 
> we issue our new roots that are audit friendly.

   But maybe these changes require software development instead of just
changing some configuration of the server... so maybe it won't be easy
for them to do it. At first I was in favour of that motion, now (for
now) I'm not.

...
>> 4.  there is a far better path IMO:  follow the New Roots path properly
>> and be done with it (or just implement the 2008 roots for the next year
>> if we need a fast solution, it's probably less work anyway).
> Is the risk of an auditor saying the New Roots are rubbish and we need to 
> a) 
> issue new ones mitigated, b) revoke all certs issued off them?

  Probably a) is right, but I think b) is unlikely, since the
certificates that would be included in browsers would be the new ones
(from a) ), so the 2008 roots would not have any impact in users (they
won't even know they exist, unless they manually import them, which they
are doing right now despite there is no audit).

> Without this risk mitigated may be issuing new roots twice with all the bad 
> PR, confusion, and root distribution issues that go along with it.

  That can be mitigated by stating the 2008 roots are a temporal
measure, until we get audit ready. Since people have to manually import
them, they will see the announcement/statement.

...
> The main thing we need is leadership. I haven't seen the board as a whole 
> particularly enthused about solving this issue.

  That's right, but they already have a very bid "urgent todo list",
like AGM, fixing support, and all that.

> I'm not saying that other software resources aren't needed, they just need 
> a 
> clear leadership to say this is the plan and we're going to stick to it.

   True, but remember it is possible after AGM there will be changes in
the board, so maybe it would not be so wise for the current board to
push too much on this issue, it would be better, IMHO, if the leadership
is taken by a task force (task group? task team?), which could be more
stable. And AFAIK, at AGM we will have the financial report, which will
enable us to plan what can be done with the resources available.

   Best Regards
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBCAAGBQJLUMMWAAoJEMV4f6PvczxAr2QH/i/H5B5QiU6LKti5Z0Ui6dmb
+F+ThXHYzjC8Hbn24b53oaVn0SEIJyWQ8azQ4d+U1Z+9K7ILhLyg1R6ruAdLBwPK
Ei+hUCrgp0f1ekXQQ0ZivvgKj/ojMtzOWJSgCYfSjl7WcJzZsMueOFDBsRSuJ+7k
zC437wOMhyDH98wLS6aQ+NbUbWTWJorqLbcVdjd73FUr14qCY6lYhVLl++txo0De
8HIR+z0dU417px/UiIBLvfWLY+N/Yl7P3CEBBlwN4M3ILX+Kjo5/Z1wKmQa/yPwd
fNmz0J1+2O650RVmzGynPjbSol0h0aZt3Hw9V3UCakU5ZDqMxk1rTx6D9uh6mqM=
=6Eg/
-----END PGP SIGNATURE-----