cacert-sysadm AT lists.cacert.org
Subject: CAcert System Admins discussion list
List archive
- From: IanG <iang AT cacert.org>
- To: CAcert System Administrators <cacert-sysadm AT lists.cacert.org>
- Subject: [Cacert-sysadm] structure of root keys & certs
- Date: Fri, 08 Aug 2008 17:38:16 +0200
- List-archive: <http://lists.cacert.org/pipermail/cacert-sysadm>
- List-id: CAcert System Admins discussion list <cacert-sysadm.lists.cacert.org>
I'm thinking about the generation of new roots. Thinking out aloud, there seem to be these issues:
1. structure / organisation / hierarchy of roots
2. ceremony for creation of root
3. storage securely on signing server
4. escrow root securely for disaster recovery
Does that cover the overall picture?
The first question, 1. above, is, what is the structure or roots we need for the future? E.g., same as now, Class 1 and 3 roots, one signing the other?
CPS says this currently:
http://svn.cacert.org/CAcert/policy.htm#p1.4
=====================
CAcert currently operates 2 roots known as the "Class 3" and "Class 1" roots:
* Class 3 root. Used primarily for certificates including the names of Assured Members.
* Class 1 root. Used primarily for certificates with no names and by unassured Members.
The Class 3 root is signed by the Class 1 root (the former is a sub-certificate of the latter, hence the Class 3 root is technically an intermediate certificate of the Class 1 root).
Relying parties can decide to trust only certificates for Assured Members (by selecting the Class 3 root for Assured Members as trust anchor), or all certificates (by selecting the Class 1 root for unassured Members as trust anchor). Assured Members have the option of using the Class 1 root but this facility is intended for compatibility rather than as a feature in its own right.
=====================
So something like:
Class 1 ------> Class 3
Root Root
| |
| |
| |
\|/ \|/
Anonymous Assured
Certificate Certificate
Is a new set of roots likely to be the same for the future? Or do we want to change that?
iang
- [Cacert-sysadm] structure of root keys & certs, IanG, 08/08/2008
- Re: [Cacert-sysadm] structure of root keys & certs, Guillaume ROMAGNY, 08/08/2008
Archive powered by MHonArc 2.6.16.