Policy-Discussion

[Andreas Bürki <abuerki AT anidor.com>]

Ian G schrieb:
> On 24/03/2010 11:47, Andreas Bürki wrote:
>> Thoughts at random:
>>
>> *    Why multi-member approach is not more focused on organizations?
>>          *    CAcert ORGA assured organizations are CAcert members as
>> well
>>          *    Organizations will probably "live" longer than an human
>> member
>>          *    Organizations have very often something to loose, at least
>> their reputation.
>>          *    Organizations have very often the physical infrastructure
>> to protect root keys
>
>
> An illustrative example to this would be Oophaga.


Was not at all the focus of my original statement. This was and still is:
> And, yes of course, such organizations could be well known and serious 
> universities, which are member of CAcert
>   


Up to my knowledge Oophagen has not the probably needed physical
security premises.

The universities (ETHZ) are ISO 20000 certified on top


>
> One incidental comment was the audit experiences.  There was serious
> resistance from Oophaga to being reviewed in any sense.  I also
> wondered at how reliable the boundary is across organisations. 
> Typically this is often done with an SAS70 review, but I doubt that
> would work in the more specific case of a security-oriented audit.


Generally speaking, before we make such assumption, we should define our
needs and requirements and then ask. The answer could maybe very
interesting for CAcert.

At the moment, I think it's not very smart to exclude potential
solutions for a task, without knowing the real requests of CAcert for
new roots.


cheeerio, hugi

-- 
Andreas Bürki

E-Mail:
abuerki AT anidor.com
Zertifikat - SHA1-Fingerprint:
EF:7C:42:A2:AA:C3:C6:01:B5:89:B7:9A:15:58:D5:8A:BC:70:12:64

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature