Skip to Content.
Sympa Menu

cacert-sysadm - Re: [Cacert-sysadm] CAcert email address snafu

cacert-sysadm AT lists.cacert.org

Subject: CAcert System Admins discussion list

List archive

Re: [Cacert-sysadm] CAcert email address snafu


Chronological Thread 
  • From: IanG <iang AT cacert.org>
  • To: CAcert System Administrators <cacert-sysadm AT lists.cacert.org>
  • Subject: Re: [Cacert-sysadm] CAcert email address snafu
  • Date: Fri, 29 Aug 2008 12:25:00 +0200
  • List-archive: <http://lists.cacert.org/pipermail/cacert-sysadm>
  • List-id: CAcert System Admins discussion list <cacert-sysadm.lists.cacert.org>

Sam Johnston wrote:
On Wed, Aug 27, 2008 at 3:46 PM, IanG <iang AT cacert.org <mailto:iang AT cacert.org>> wrote:


    $ whois iang.org <http://iang.org> | grep CAcert-auth

    It looks a lot simpler to me than checking DNS, but I gather
    DNS is checkable via other programs.  Or, have I missed something?


Perhaps but this doesn work for many domains and would likely be unreliable.


Sam,

we can resolve this difficulty by using "USER CHOICE." It works this way:

We create a range of possibilities for the member to choose how to establish a good claim of control or ownership. The user selects from this choice. If the user can use the first one, they do. If the second, that also is available. If the third is better, they choose that...

The reason we should do it this way is because of a fundamental principle of security: nothing is perfect. All methods have flaws.

The current method has flaws. The method I suggest has flaws. The method you suggest has flaws. Provide them all and get some confidence from a couple of them, combined!


Such checks should go in the DNS itself, and be conducted as and when we see fit (probably as often as we can, within reason).


I've previously made the point that far more users can access their domain registry info than their DNS ... but I guess it's a non-sticky point?


Problems should be alerted and if not resolved promptly then certificates should be revoked. This solves the problem of domain turnover too (eg ownership changes).


I think ... the next thing is to move across to policy and get a working proposal written up. At this stage I think we are repeating points without adding anything here, and as it is first a policy issue, and only second a tech issue, it's time to ask them to discuss it from a policy-not-geek perspective.

iang




Archive powered by MHonArc 2.6.16.

Top of Page