cacert-sysadm AT lists.cacert.org
Subject: CAcert System Admins discussion list
List archive
- From: samj AT samj.net
- To: IanG <iang AT cacert.org>
- Cc: CAcert System Administrators <cacert-sysadm AT lists.cacert.org>
- Subject: Re: [Cacert-sysadm] CAcert email address snafu
- Date: Mon, 18 Aug 2008 09:41:39 +0200
- List-archive: <http://lists.cacert.org/pipermail/cacert-sysadm>
- List-id: CAcert System Admins discussion list <cacert-sysadm.lists.cacert.org>
On 8/18/08, IanG
<iang AT cacert.org>
wrote:
> samj AT samj.net
> wrote:
>> CN schotzophrenia absolutely needs to be nailed down. I believe the
>> world believes that when CAcert sets CN it is via the WoT, and we
>> should work to make reality match expectation.
>
> OK. What change should be made to Organisation Assurance to
> make the CN be an assured name?
Just reatrict oadmins to allowing certain users and domains to include
their legal name (O), jurisdiction (L, ST, C) and optionally job
title, org unit, etc. If they want to set CN they can use the CAP like
everyone else.
>> For domain ownership forget about registry databases and whois-we
>> can't access them universally and corrupting whois data can result in
>> domain loss.
>
>
> I'm not sure I understand either of those parts. What do
> you mean by "we can't access them universally?" ... unless
> you mean the oddity that Philipp posted on microsoft.com
> (what is happening there, btw?)
Universally means for every possible domain and subdomain.
Corruption means inserting auth tokens into the whois.
> Corrupting: I didn't see mention of corruption, what do you
> mean?
>
>
>> On the other hand, random, repeated, automated checks are kosher, but
>> not for humans as this leads to phishing. So, checking a cname record
>> exists or a HTML file or a metatag or just some cookie could raise the
>> bar somewhat, essentially for free.
>
>
> OK, checking DNS, like a cname record. Checking a HTML file
> or a metatag works also.
>
> As Philipp pointed out it doesn't cover all the territory.
> But neither does the status quo.
Domain and email verification should be codified in separate
policies-they are both important, not particularly well done, and we
have various policies messing with them, like OA which should not care
about domains.
Sam on iPhone
> iang
>
> _______________________________________________
> CAcert-sysadm mailing list
> CAcert-sysadm AT lists.cacert.org
> https://lists.cacert.org/cgi-bin/mailman/listinfo/cacert-sysadm
>
- Re: [Cacert-sysadm] CAcert email address snafu, (continued)
- Re: [Cacert-sysadm] CAcert email address snafu, Sam Johnston, 08/22/2008
- Re: [Cacert-sysadm] CAcert email address snafu, IanG, 08/28/2008
- Re: [Cacert-sysadm] CAcert email address snafu, Sam Johnston, 08/28/2008
- Re: [Cacert-sysadm] CAcert email address snafu, IanG, 08/29/2008
- Re: [Cacert-sysadm] CAcert email address snafu, Sam Johnston, 08/29/2008
- Re: [Cacert-sysadm] CAcert email address snafu, Philipp Guehring, 08/16/2008
- Re: [Cacert-sysadm] CAcert email address snafu, IanG, 08/17/2008
- Re: [Cacert-sysadm] CAcert email address snafu, samj, 08/17/2008
- Re: [Cacert-sysadm] CAcert email address snafu, samj, 08/17/2008
- Re: [Cacert-sysadm] CAcert email address snafu, IanG, 08/17/2008
- Re: [Cacert-sysadm] CAcert email address snafu, samj, 08/18/2008
- Re: [Cacert-sysadm] CAcert email address snafu, IanG, 08/18/2008
Archive powered by MHonArc 2.6.16.