Skip to Content.
Sympa Menu

cacert-policy - Re: next steps?

Subject: Policy-Discussion

List archive

Re: next steps?


Chronological Thread 
  • From: Ian G <iang AT cacert.org>
  • To: cacert-policy AT lists.cacert.org
  • Subject: Re: next steps?
  • Date: Sun, 17 Feb 2013 16:01:45 +0300

Hi Benedikt,

On 17/02/13 01:45 AM, Benedikt Heintel wrote:


These other issues below -- please treat my response as bar talk over beers as we're not actually evaluating the documents concerned right now. I find the comments interesting, tho.

and should be made ISO
27001 conform. It's on my task list but not on priority 1.

Hmmm.... what does ISO 27001 conformance mean and why would it be good for CAcert?

One Policy I like to add is CP / CPS. It is not totally compliant to RFC
3647.

Same question as above. Although the CPS was modelled after RFC 3647, it was never expected to be exactly the same. IMHO nor is that useful: "This document presents a framework to assist the writers of [CPS, etc]..." We were assisted :) so are we not conformant with the intention of the document?

The RFC states one policy or at least one practice statement per
(sub-)CA. As I figured out, CAcert has 4 CAs: Test (no security),

I would agree that Test is a different CA. Whether it needs a separate CPS, I don't know - why is that? Or to put it on point, perhaps the CPS for the Test CA should be "this CPS imposes no restrictions." ?


Anonymous (low security), Named and Organisation (medium security).

Why are these different CAs?

Not really covered is the security need for code signing. However,


Say more? on code-signing, there is some older discussion here:

http://wiki.cacert.org/PolicyDrafts/CodesigningAssurancePolicy

practice is here I think:
http://wiki.cacert.org/CodesigningCert
SM here:
http://wiki.cacert.org/SecurityManual 8.2.2/2 admin role to set code-signing flag.


CAcert is not capable to issue high security certificates at the moment.
This is also on my task list, after SP is done.

Define "high security" ?

Regards
Benedikt

Am 15.02.2013 20:58, schrieb Ian G:
Any other suggestions?
To pick up on this, some other suggestions have circulated:

*  move PoJAM to POLICY

*  move Security Policy to POLICY


Certainly, some close attention to the CPS would be welcome. Since it went to DRAFT, it has languished a bit. It would be nice to improve it and/or move it to POLICY. However I don't see it as the highest priority, nor the easiest task :)

iang



Archive powered by MHonArc 2.6.16.

Top of Page