Skip to Content.
Sympa Menu

cacert-sysadm - [Cacert-sysadm] structure of root keys & certs

cacert-sysadm AT lists.cacert.org

Subject: CAcert System Admins discussion list

List archive

[Cacert-sysadm] structure of root keys & certs


Chronological Thread 
  • From: IanG <iang AT cacert.org>
  • To: CAcert System Administrators <cacert-sysadm AT lists.cacert.org>
  • Subject: [Cacert-sysadm] structure of root keys & certs
  • Date: Fri, 08 Aug 2008 17:38:16 +0200
  • List-archive: <http://lists.cacert.org/pipermail/cacert-sysadm>
  • List-id: CAcert System Admins discussion list <cacert-sysadm.lists.cacert.org>

I'm thinking about the generation of new roots. Thinking out aloud, there seem to be these issues:

1.  structure / organisation / hierarchy of roots
2.  ceremony for creation of root
3.  storage securely on signing server
4.  escrow root securely for disaster recovery

Does that cover the overall picture?



The first question, 1. above, is, what is the structure or roots we need for the future? E.g., same as now, Class 1 and 3 roots, one signing the other?

CPS says this currently:

http://svn.cacert.org/CAcert/policy.htm#p1.4
=====================
CAcert currently operates 2 roots known as the "Class 3" and "Class 1" roots:

* Class 3 root. Used primarily for certificates including the names of Assured Members.
* Class 1 root. Used primarily for certificates with no names and by unassured Members.

The Class 3 root is signed by the Class 1 root (the former is a sub-certificate of the latter, hence the Class 3 root is technically an intermediate certificate of the Class 1 root).

Relying parties can decide to trust only certificates for Assured Members (by selecting the Class 3 root for Assured Members as trust anchor), or all certificates (by selecting the Class 1 root for unassured Members as trust anchor). Assured Members have the option of using the Class 1 root but this facility is intended for compatibility rather than as a feature in its own right.
=====================



So something like:


 Class 1 ------> Class 3
  Root           Root
   |              |
   |              |
   |              |
  \|/            \|/
Anonymous       Assured
Certificate    Certificate



Is a new set of roots likely to be the same for the future? Or do we want to change that?

iang




Archive powered by MHonArc 2.6.16.

Top of Page