cacert-sysadm AT lists.cacert.org
Subject: CAcert System Admins discussion list
List archive
- From: Evaldo Gardenali <evaldo AT gardenali.biz>
- To: IanG <iang AT cacert.org>
- Cc: CAcert System Administrators <cacert-sysadm AT lists.cacert.org>, Jens Paul <cacert AT canyonsport.de>, Henrik Heigl <henrik AT cacert.org>, Greg Stark <17_gs AT rubyservices.com>, Rasika Dayarathna <dayarathna AT gmail.com>, CAcert Board <cacert-board AT lists.cacert.org>, audit AT cacert.org, Sebastian Kueppers <cacert AT kueppers.ath.cx>, Mario Lipinski <cacert AT l4w.info>
- Subject: Re: [Cacert-sysadm] secured mail through CAcert now working (why?)
- Date: Tue, 08 Apr 2008 10:19:10 -0300
- List-archive: <http://lists.cacert.org/pipermail/cacert-sysadm>
- List-id: CAcert System Admins discussion list <cacert-sysadm.lists.cacert.org>
Hi
IanG escreveu:
I've gone through Daniel's email process and set up the email for the address above, and got it working [1]. He has set up some instructions over at the wiki, which we can all follow and improve:Community Emails are not going to accomplish that. Adoption of X.509 will. Unless we are not X509 providers anymore, and we now are email service providers.
http://wiki.cacert.org/wiki/CommunityEmail
It's probably worthwhile to recall why he is doing this.
At the 'top' there was a discussion about setting up better support for encrypting email, a little because of general threats to our email [2] but mostly because as a CA we should be able to show we can do it, comprehensively. "Eat your own dogfood" the Americans say. A way to meet our mission.
This goes exactly the opposite direction of X.509, which means we should issue certificates for people to use on their own servers and their own accounts.
Encrypting everything somehow conflicted with another discussion about escrowing official email, coming out of the Arbitration and Threats discussions. Escrow was considered to be a serious benefit if we ever get hit by legal discovery, because the email is then already collected. This will save us a heap of bureaucracy [3].Escrow should be handled in a different way: just set your mail client to BCC escrow AT cacert.org (with a valid certificate) by default, and keep the private key safe, so it is escrow not leakage.
You are referring to a different problem.
=============
m20070920.2: Agreed to ask that the new email system can be set up to automatically archive everything on "official" lists. Privacy officer to be consulted before actually implementing it.
=============
As we know, encrypted lists are a "hard problem". The rough high level design was felt to be using CAcert servers as the IMAP/POP/SMTP servers for all official traffic. This way, we could do both encrypted mail (over TLS) and also do the escrow part (by central capture).
Encrypted list: Sympa is an awesome mailing list manager, used by many universities and big companies worldwide. I have referred Duane, Philipp, and others to Sympa a few times, and I mentioned that to the Board as well. It also implements browseable archives and a lot of features we would find interesting.
And what good is it for? I fail to see the benefit of "encrypted servers" in "encrypted emails" scenery. It just does not fit. End-to-end encrypted emails are safe, even if you publish them to newspapers. "encrypted servers" just gives us FALSE SENSE OF SECURITY.
The first phase of this work is now complete, there is a complete setup of encrypted servers available.
Easy, just create an account, a certificate, and tell people to set their email clients to (B)CC by default.
This leaves some phases left.
1. the escrowed system as mentioned in m20070920.2.
2. a policy by which people are allocated email addresses @ cacert.org . This is currently before M-SC, see wiki.The whole @community.cacert.org will create a management nightmare. Again, we are CAcert, not Hotmail nor Gmail.
3. a related initiative to give wider access to the community access to this sort of protected email. The current working title for this is community.cacert.org. Who then is to be given this access? Full Assurers? All Members? 150 point Assurers?Did we change our focus to be email provider? that creates a whole lot of new liability problems and DPA issues. Does auditor like that?
For these items, there are a lot of details to work out. Of course, all this can change. But the basic work done so far is good and useful.Good and Useful to what purpose? I see they are good and useful if we become email providers.
Meanwhile, all, it will help to setup your email addresses so we can move over to this method, as per the decision(s) agreed at 'top'.The details seem to be a bit overlooked here, and I fail to understand it as a coherent design. Where are the plans for me to examine?
iang @ cacert . org
[1] Temporarily, as I don't want an "official" address, I'll work with the "community" address when it turns up.
[2] Which created an unusual and delicious tension with the policy to be open in all things.
[3] I agree that this benefit can only be appreciated by those who've been through American-style legal discovery :)
And this remembers me... Who decided that we'd open community.cacert.org? Who saw the proposal presented before it went live?
Waiting for some answers
Evaldo
- [Cacert-sysadm] secured mail through CAcert now working (why?), IanG, 04/08/2008
- Re: [Cacert-sysadm] secured mail through CAcert now working (why?), Evaldo Gardenali, 04/08/2008
- Re: [Cacert-sysadm] secured mail through CAcert now working (why?), Iang, 04/09/2008
- Message not available
- Re: [Cacert-sysadm] [CAcert-Board] secured mail through CAcert now working (why?), Teus Hagen, 04/10/2008
- Re: [Cacert-sysadm] secured mail through CAcert now working (why?), Sam Johnston, 04/10/2008
- <Possible follow-up(s)>
- Re: [Cacert-sysadm] secured mail through CAcert now working (why?), Iang, 04/11/2008
- Re: [Cacert-sysadm] secured mail through CAcert now working (why?), Evaldo Gardenali, 04/08/2008
Archive powered by MHonArc 2.6.16.