Subject: Policy-Discussion
List archive
- From: Daniel Black <daniel AT cacert.org>
- To: cacert-policy AT lists.cacert.org
- Subject: Re: Board inquisition of Multi-member escrow
- Date: Wed, 24 Mar 2010 13:18:38 +1100
- Authentication-results: lists.cacert.org; dkim=pass (1024-bit key) header.i= AT cacert.org; dkim-asp=none
- Organization: CAcert
On Wednesday 24 March 2010 13:00:43 Mark Lipscombe wrote:
> On 3/24/2010 12:48 PM, Daniel Black wrote:
> > On Wednesday 24 March 2010 11:52:49 Mark Lipscombe wrote:
> Was any consideration given to how this contrasts with DRC C.3.e:
>
> The root certificate private key pass-phrase (i.e. password) is not
> stored electronically or physically.
right. there is a strong difference of opinion with security policy:
SP9.2.2-c Passphrase must be strong and must be separately escrowed from
media.
> I suppose it might be argued that stored "parts" of the passphrase in
> several locations is not the same as the pass-phrase being "stored", but
> it seems like a stretch.
Everything to meet this criteria literally is a stretch. Even my approach
with
PKI protecting the root private key blob.
The frailty of memory isn't compatible with long term reliable storage. The
simple things to remember can be defeated during brute force attack.
> I tried looking through the cacert-root archives, but couldn't find
> anything that answered this.
https://lists.cacert.org/wws/arc/cacert-root/2010-01/msg00015.html
https://lists.cacert.org/wws/arc/cacert-root/2010-01/msg00019.html
--
Daniel Black
CAcert
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
- Re: Board inquisition of Multi-member escrow, (continued)
- Re: Board inquisition of Multi-member escrow, Dieter Hennig, 03/23/2010
- Re: Board inquisition of Multi-member escrow, Lambert Hofstra, 03/24/2010
- Re: Board inquisition of Multi-member escrow, Elwing, 03/25/2010
- Re: Board inquisition of Multi-member escrow, Daniel Black, 03/25/2010
- Re: Board inquisition of Multi-member escrow, Ian G, 03/25/2010
- Re: Board inquisition of Multi-member escrow, Elwing, 03/25/2010
- Re: Board inquisition of Multi-member escrow, Ian G, 03/23/2010
- Re: Board inquisition of Multi-member escrow, Andreas Bürki, 03/24/2010
- Re: Board inquisition of Multi-member escrow, Mark Lipscombe, 03/24/2010
- Re: Board inquisition of Multi-member escrow, Daniel Black, 03/24/2010
- Re: Board inquisition of Multi-member escrow, Mark Lipscombe, 03/24/2010
- Re: Board inquisition of Multi-member escrow, Daniel Black, 03/24/2010
- Re: Board inquisition of Multi-member escrow, Ian G, 03/24/2010
- Re: Board inquisition of Multi-member escrow, Mark Lipscombe, 03/24/2010
- Re: Board inquisition of Multi-member escrow, Ian G, 03/24/2010
- Re: Board inquisition of Multi-member escrow, Mark Lipscombe, 03/24/2010
- Re: Board inquisition of Multi-member escrow, Daniel Black, 03/24/2010
- Re: Board inquisition of Multi-member escrow, Andreas Bürki, 03/24/2010
- Re: Board inquisition of Multi-member escrow, Dieter Hennig, 03/24/2010
- Re: Board inquisition of Multi-member escrow, Ian G, 03/24/2010
- Re: Board inquisition of Multi-member escrow, Mark Lipscombe, 03/24/2010
- Re: Board inquisition of Multi-member escrow, Daniel Black, 03/24/2010
- Re: Board inquisition of Multi-member escrow, Ian G, 03/24/2010
- Re: Board inquisition of Multi-member escrow, Andreas Bürki, 03/24/2010
- Re: Board inquisition of Multi-member escrow, Andreas Bürki, 03/24/2010
- Re: Board inquisition of Multi-member escrow, Daniel Black, 03/24/2010
Archive powered by MHonArc 2.6.16.