CAcert System Admins discussion list

[Teus Hagen <teus AT theunis.org>]

Daniel,

Thanks for your email.
You initiated the organisation communication stricture as settled down
on the policy level with the communication policy, which policy work was
done by several persons from the community. You are maintaining the
implementation and management of it, which is good.
You even have ideas to improve it, which is good as with certificate
service as core item there is a message to carry, eg using certificates
as imap access? And as you mentioned many other things to happen. If so
get the feasibility tested and propose them for acceptance.

teus

On 11/05/08 15:30, Daniel Black wrote:
> Ok I haven't reponded to this yet (mainly time commitments to clearly state 
> anything).
>
> On Tue, 8 Apr 2008 09:20:04 pm IanG wrote:
>   
>> I've gone through Daniel's email process and set up the
>> email for the address above, and got it working [1].   He
>> has set up some instructions over at the wiki, which we can
>> all follow and improve:
>>
>>      http://wiki.cacert.org/wiki/CommunityEmail
>>     
>
> And many thanks to those that did improve it esp. Sun Tzu Melange. Thanks 
> also 
> for the edits on:
> http://wiki.cacert.org/wiki/PolicyDrafts/EmailHandling
>
> Thanks also to Sam/ Teus for
> http://wiki.cacert.org/wiki/EmailAccountPolicy
> http://svn.cacert.org/CAcert/Policies/CAcertCommunicationPolicy.html
>
> Comments have been provided however I'm pretty happy with the documents. 
>
> Thankyou both.
>
> Thanks to IanG who provided motivation for people to define the policies to 
> where they are now.
>
>   
>> It's probably worthwhile to recall why he is doing this.
>>     
>
> I'm going to just word this in my own words.
>
> CAcert as a CA, has a primary role in the certification of identity (other 
> mission definations exist as noted). In the current technology climate this 
> is best served by CAcerts current activites of issuing of X509 certificates 
> and signing PGP keys.
>
> We do this certification because a verified sense of identity is important 
> in 
> the online world. It is the necessary foundation that makes digitial 
> signing 
> mean signing by a person, and encryption mean encrypting to a person.
>
> Email in the modern day has not the absolute sence of identity as it 
> previously did. Spammers, fraudsters and social engineers have exploited 
> this. Because this CA, CAcert, is about identity (IMHO), allowing officials 
> to use their own ISPs to send offical emails is perpetuating problem 
> exploited by spammers/fraudsters/social engineers.
>
> Taking the first step in consolidating infrastructure has benefits. The 
> emergence of technologies like SPF and DKIM can harness the benefits of 
> consolidated infrastructure. In a world that is full of spam and phishing 
> we 
> have gained the abililty though defined standards to say @cacert.org email 
> comes from IP X,Y & Z (SPF), and the ability to say @cacert.org email is 
> digitally signed (DKIM and up and coming RFC ASP). In the same way that 
> X509/PGP signatures define a person's signature, these technologies define 
> a 
> signature on an organisational basis free for automated technologies to 
> verify and kill of phishing schemes without the user's technical awareness.
>
> Consolidated infrastructure that deploys POP3, IMAP and SMTP over 
> authenticated SSL/TLS has the benefit of allowing our officers and 
> community 
> email users (constrained by policy policy) to communicate over encrypted 
> transport without the complication of content encryption. Its not the black 
> and white solution for all encryption requirements however it suits this 
> one 
> quite nicely.
>
> On outgoing email we use SMTP client certificates to show our 
> organisational 
> indentity, a CAcert certificate, to all server that care to look or blindly 
> copy such info into email headers. We use tranport encryption with 
> verifable 
> identity because that is what people should expect from a CA.
>
> And while I've acheived some sucess in doing this, in a sence I've failed. 
> I've delivered another username/password for access to another service. 
> CAcert already has certificates for this purpose. As such I'm in the 
> progress 
> of correcting this wrong and allowing CAcert certificates to be used as an 
> authenication mechanism to mail services. Will take a bit of testing 
> however 
> it is my goal to correct this.
>
> Thanks for your time and I promise not to ramble like this often.
>
>   
> ------------------------------------------------------------------------
>
> _______________________________________________
> CAcert-Board mailing list
> CAcert-Board AT lists.cacert.org
> https://lists.cacert.org/cgi-bin/mailman/listinfo/cacert-board