Policy-Discussion

[Mark Lipscombe <mark AT cacert.org>]

On 3/24/2010 3:03 PM, Ian G wrote:
> On 24/03/2010 13:00, Mark Lipscombe wrote:
> > Was any consideration given to how this contrasts with DRC C.3.e:
> >
> > The root certificate private key pass-phrase (i.e. password) is not
> > stored electronically or physically.
>
> I've thought about it, and I think what this means is that the human has
> to remember the password. I think this is actually bad advice, and it is
> not how things have traditionally been done in CAcert. Nor is it likely
> to work, because remembered passwords have to be used frequently, or be
> very simple (or both).
>
> So, this is one area where I expect the criteria will not be followed,
> and there will be an appeal to the auditor on the basis of more modern
> advice. I'd be expecting the passphrases be written down and the piece
> of paper be kept safe.
>
> That's just my call, though. Another possibility is to go back to David
> Ross and discuss the criteria with him.

Yes, you're right that it does seem like a questionable criteria. 
Perhaps we should discuss it with David, and failing that, documenting 
our "compensating controls" as part of our case for ignoring that criteria.

What does Webtrust have to say on the subject?

Regards,
Mark