CAcert System Admins discussion list

[Daniel Black <daniel AT cacert.org>]

Ok I haven't reponded to this yet (mainly time commitments to clearly state 
anything).

On Tue, 8 Apr 2008 09:20:04 pm IanG wrote:
> I've gone through Daniel's email process and set up the
> email for the address above, and got it working [1].   He
> has set up some instructions over at the wiki, which we can
> all follow and improve:
>
>      http://wiki.cacert.org/wiki/CommunityEmail

And many thanks to those that did improve it esp. Sun Tzu Melange. Thanks 
also 
for the edits on:
http://wiki.cacert.org/wiki/PolicyDrafts/EmailHandling

Thanks also to Sam/ Teus for
http://wiki.cacert.org/wiki/EmailAccountPolicy
http://svn.cacert.org/CAcert/Policies/CAcertCommunicationPolicy.html

Comments have been provided however I'm pretty happy with the documents. 

Thankyou both.

Thanks to IanG who provided motivation for people to define the policies to 
where they are now.

> It's probably worthwhile to recall why he is doing this.

I'm going to just word this in my own words.

CAcert as a CA, has a primary role in the certification of identity (other 
mission definations exist as noted). In the current technology climate this 
is best served by CAcerts current activites of issuing of X509 certificates 
and signing PGP keys.

We do this certification because a verified sense of identity is important in 
the online world. It is the necessary foundation that makes digitial signing 
mean signing by a person, and encryption mean encrypting to a person.

Email in the modern day has not the absolute sence of identity as it 
previously did. Spammers, fraudsters and social engineers have exploited 
this. Because this CA, CAcert, is about identity (IMHO), allowing officials 
to use their own ISPs to send offical emails is perpetuating problem 
exploited by spammers/fraudsters/social engineers.

Taking the first step in consolidating infrastructure has benefits. The 
emergence of technologies like SPF and DKIM can harness the benefits of 
consolidated infrastructure. In a world that is full of spam and phishing we 
have gained the abililty though defined standards to say @cacert.org email 
comes from IP X,Y & Z (SPF), and the ability to say @cacert.org email is 
digitally signed (DKIM and up and coming RFC ASP). In the same way that 
X509/PGP signatures define a person's signature, these technologies define a 
signature on an organisational basis free for automated technologies to 
verify and kill of phishing schemes without the user's technical awareness.

Consolidated infrastructure that deploys POP3, IMAP and SMTP over 
authenticated SSL/TLS has the benefit of allowing our officers and community 
email users (constrained by policy policy) to communicate over encrypted 
transport without the complication of content encryption. Its not the black 
and white solution for all encryption requirements however it suits this one 
quite nicely.

On outgoing email we use SMTP client certificates to show our organisational 
indentity, a CAcert certificate, to all server that care to look or blindly 
copy such info into email headers. We use tranport encryption with verifable 
identity because that is what people should expect from a CA.

And while I've acheived some sucess in doing this, in a sence I've failed. 
I've delivered another username/password for access to another service. 
CAcert already has certificates for this purpose. As such I'm in the progress 
of correcting this wrong and allowing CAcert certificates to be used as an 
authenication mechanism to mail services. Will take a bit of testing however 
it is my goal to correct this.

Thanks for your time and I promise not to ramble like this often.

-- 
---
Daniel Black 
(daniel AT cacert.org)

Attachment: signature.asc
Description: This is a digitally signed message part.