Policy-Discussion

[Ian G <iang AT cacert.org>]

On 24/03/2010 13:00, Mark Lipscombe wrote:
> On 3/24/2010 12:48 PM, Daniel Black wrote:
> > On Wednesday 24 March 2010 11:52:49 Mark Lipscombe wrote:
> > > they can't remember passphrase
> >
> > On the cacert-roots list it was discussed that password storage is
> > acceptable
> > if stored separately.
>
> Was any consideration given to how this contrasts with DRC C.3.e:
>
> The root certificate private key pass-phrase (i.e. password) is not
> stored electronically or physically.


I've thought about it, and I think what this means is that the human has 
to remember the password.  I think this is actually bad advice, and it 
is not how things have traditionally been done in CAcert.  Nor is it 
likely to work, because remembered passwords have to be used frequently, 
or be very simple (or both).

So, this is one area where I expect the criteria will not be followed, 
and there will be an appeal to the auditor on the basis of more modern 
advice.  I'd be expecting the passphrases be written down and the piece 
of paper be kept safe.

That's just my call, though.  Another possibility is to go back to David 
Ross and discuss the criteria with him.

iang


> I suppose it might be argued that stored "parts" of the passphrase in
> several locations is not the same as the pass-phrase being "stored", but
> it seems like a stretch.
>
> I tried looking through the cacert-root archives, but couldn't find
> anything that answered this.
>
> Regards,
> Mark

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature