Subject: Policy-Discussion
List archive
- From: Ian G <iang AT cacert.org>
- To: cacert-policy AT lists.cacert.org
- Subject: Re: next steps?
- Date: Sun, 17 Feb 2013 16:01:45 +0300
Hi Benedikt,
On 17/02/13 01:45 AM, Benedikt Heintel wrote:
These other issues below -- please treat my response as bar talk over beers as we're not actually evaluating the documents concerned right now. I find the comments interesting, tho.
and should be made ISO
27001 conform. It's on my task list but not on priority 1.
Hmmm.... what does ISO 27001 conformance mean and why would it be good for CAcert?
One Policy I like to add is CP / CPS. It is not totally compliant to RFC
3647.
Same question as above. Although the CPS was modelled after RFC 3647, it was never expected to be exactly the same. IMHO nor is that useful: "This document presents a framework to assist the writers of [CPS, etc]..." We were assisted :) so are we not conformant with the intention of the document?
The RFC states one policy or at least one practice statement per
(sub-)CA. As I figured out, CAcert has 4 CAs: Test (no security),
I would agree that Test is a different CA. Whether it needs a separate CPS, I don't know - why is that? Or to put it on point, perhaps the CPS for the Test CA should be "this CPS imposes no restrictions." ?
Anonymous (low security), Named and Organisation (medium security).
Why are these different CAs?
Not really covered is the security need for code signing. However,
Say more? on code-signing, there is some older discussion here:
http://wiki.cacert.org/PolicyDrafts/CodesigningAssurancePolicy
practice is here I think:
http://wiki.cacert.org/CodesigningCert
SM here:
http://wiki.cacert.org/SecurityManual 8.2.2/2 admin role to set code-signing flag.
CAcert is not capable to issue high security certificates at the moment.
This is also on my task list, after SP is done.
Define "high security" ?
Regards
Benedikt
Am 15.02.2013 20:58, schrieb Ian G:
Any other suggestions?To pick up on this, some other suggestions have circulated:
* move PoJAM to POLICY
* move Security Policy to POLICY
Certainly, some close attention to the CPS would be welcome. Since it went to DRAFT, it has languished a bit. It would be nice to improve it and/or move it to POLICY. However I don't see it as the highest priority, nor the easiest task :)
iang
- Re: Vote on p20130222 PoJAM to POLICY, (continued)
- Re: Vote on p20130222 PoJAM to POLICY, Brian McCullough, 02/22/2013
- Re: Vote on p20130222 PoJAM to POLICY, Guillaume ROMAGNY, 02/23/2013
- Re: Vote on p20130222 PoJAM to POLICY, Werner Dworak, 02/23/2013
- Re: Vote on p20130222 PoJAM to POLICY, Jan Dittberner, 02/23/2013
- Re: Vote on p20130222 PoJAM to POLICY, Philipp Dunkel, 02/23/2013
- RE: Vote on p20130222 PoJAM to POLICY, Megan C. Robertson, 02/23/2013
- Re: Vote on p20130222 PoJAM to POLICY, Bernd Jantzen, 02/23/2013
- Re: next steps?, Benedikt Heintel, 02/16/2013
- RE: next steps?, ulrich, 02/17/2013
- Re: next steps?, Ian G, 02/17/2013
- Re: next steps?, Ian G, 02/17/2013
- Re: next steps?, Benedikt Heintel, 02/23/2013
- Re: next steps?, Werner Dworak, 02/25/2013
- Re: next steps?, Guillaume ROMAGNY, 02/25/2013
- Re: next steps?, Werner Dworak, 02/25/2013
- Re: next steps?, Benedikt Heintel, 02/23/2013
Archive powered by MHonArc 2.6.16.