cacert-sysadm AT lists.cacert.org
Subject: CAcert System Admins discussion list
List archive
- From: IanG <iang AT cacert.org>
- To: CAcert System Administrators <cacert-sysadm AT lists.cacert.org>
- Subject: Re: [Cacert-sysadm] CAcert email address snafu
- Date: Fri, 29 Aug 2008 12:25:00 +0200
- List-archive: <http://lists.cacert.org/pipermail/cacert-sysadm>
- List-id: CAcert System Admins discussion list <cacert-sysadm.lists.cacert.org>
Sam Johnston wrote:
On Wed, Aug 27, 2008 at 3:46 PM, IanG <iang AT cacert.org <mailto:iang AT cacert.org>> wrote:
$ whois iang.org <http://iang.org> | grep CAcert-auth
It looks a lot simpler to me than checking DNS, but I gather
DNS is checkable via other programs. Or, have I missed something?
Perhaps but this doesn work for many domains and would likely be unreliable.
Sam,
we can resolve this difficulty by using "USER CHOICE." It works this way:
We create a range of possibilities for the member to choose how to establish a good claim of control or ownership. The user selects from this choice. If the user can use the first one, they do. If the second, that also is available. If the third is better, they choose that...
The reason we should do it this way is because of a fundamental principle of security: nothing is perfect. All methods have flaws.
The current method has flaws. The method I suggest has flaws. The method you suggest has flaws. Provide them all and get some confidence from a couple of them, combined!
Such checks should go in the DNS itself, and be conducted as and when we see fit (probably as often as we can, within reason).
I've previously made the point that far more users can access their domain registry info than their DNS ... but I guess it's a non-sticky point?
Problems should be alerted and if not resolved promptly then certificates should be revoked. This solves the problem of domain turnover too (eg ownership changes).
I think ... the next thing is to move across to policy and get a working proposal written up. At this stage I think we are repeating points without adding anything here, and as it is first a policy issue, and only second a tech issue, it's time to ask them to discuss it from a policy-not-geek perspective.
iang
- Re: [Cacert-sysadm] CAcert email address snafu, (continued)
- Message not available
- Re: [Cacert-sysadm] CAcert email address snafu, samj, 08/17/2008
- Message not available
- Re: [Cacert-sysadm] CAcert email address snafu, samj, 08/17/2008
- Message not available
- Re: [Cacert-sysadm] CAcert email address snafu, IanG, 08/18/2008
- Re: [Cacert-sysadm] CAcert email address snafu, Sam Johnston, 08/19/2008
- Re: [Cacert-sysadm] CAcert email address snafu, IanG, 08/19/2008
- Re: [Cacert-sysadm] CAcert email address snafu, Sam Johnston, 08/20/2008
- Re: [Cacert-sysadm] CAcert email address snafu, IanG, 08/22/2008
- Re: [Cacert-sysadm] CAcert email address snafu, Sam Johnston, 08/22/2008
- Re: [Cacert-sysadm] CAcert email address snafu, IanG, 08/28/2008
- Re: [Cacert-sysadm] CAcert email address snafu, Sam Johnston, 08/28/2008
- Re: [Cacert-sysadm] CAcert email address snafu, IanG, 08/29/2008
- Re: [Cacert-sysadm] CAcert email address snafu, Sam Johnston, 08/29/2008
- Re: [Cacert-sysadm] CAcert email address snafu, Philipp Guehring, 08/16/2008
- Re: [Cacert-sysadm] CAcert email address snafu, IanG, 08/17/2008
- Re: [Cacert-sysadm] CAcert email address snafu, samj, 08/17/2008
- Re: [Cacert-sysadm] CAcert email address snafu, samj, 08/17/2008
- Re: [Cacert-sysadm] CAcert email address snafu, IanG, 08/17/2008
- Re: [Cacert-sysadm] CAcert email address snafu, samj, 08/18/2008
- Re: [Cacert-sysadm] CAcert email address snafu, IanG, 08/18/2008
Archive powered by MHonArc 2.6.16.