CAcert System Admins discussion list

[Kim Holburn <kim AT holburn.net>]

Just some thoughts.  Sorry for the questions.

I think that you're looking at this as a technical problem.  It is at  
least in part a social/policy problem here.  Most sysadmins can get  
around stuff and it's probably hard to stop them.

I'm not familiar with your setup but how about the carrot approach?   
Provide an authenticated smtps server so people can send cacert mail  
from anywhere.  Perhaps you have this already?  To extend it you could  
allow people with cacert emails to register other email addresses just  
like gmail?  This would allow people to use it for all their mail.   
Too much info?  You could only archive emails with cacert addresses in  
the header.

e-discovery law is changing anyway, I don't think you can guess what a  
court or an opponent in court might ask for in the future.

You could mandate that all business emails are digitally signed.   Has  
the idea of digitally signed emails been tested in court?

Does a digital signature require an email client to communicate with a  
key-server to verify it?  Does CACert run a keyserver?  With logs?

On 2008/Sep/04, at 3:57 PM, Daniel Black wrote:

> On Thu, 4 Sep 2008 07:35:48 pm Sam Johnston wrote:
> > On Wed, Sep 3, 2008 at 11:24 PM, Daniel Black <daniel AT cacert.org>  
> > wrote:
> >
> > Outbound email needs to be sent though a the provided gateway too
> >
> > > http://wiki.cacert.org/wiki/CommunityEmail (Yes I'm looking at you  
> > > IanG)
> >
> > That's all well and good but if it doesn't fit in people's  
> > workflows then
> > they won't do it,
>
> section 2a of the draft communication policy looks like it does  
> exactly that.
> Which despite the endorcement its received isn't worth the electrons  
> used to
> deliver it as peoples' workflow hasn't changed.
>
> > and as it is virtually impossible to enforce (except
> > perhaps by requiring people to use it and then unleashing SPF)  
> > CAcert will
> > be non-compliant.
>
> change is being driven by the business risk of judiciary discovery  
> and the
> need to mitigate spoofed emails claiming to be from this domain.
>
> this isn't some collusion between an auditor and a sysadmin to force  
> you into
> a technology, its driven by business risk.
>
> > Google Apps (free) and Postini (non-free, but affordable access to  
> > SAS 70
> > Type II et al)
>
> which may not be a workflow change for you but it is for others.  
> Somewhere
> there needs to be a workflow vs requirement trade off.
>
> > would be a more useful solution,
>
> because it suits your person workflow better? sure I'm a sysadmin  
> who likes
> what I've delived however there hasn't been a bit of feedback saying  
> XYZ
> could be better.
>
> What ever you come up with needs to meet the requirements and  
> culture of the
> organisation?
>
> though i was waiting for a final upstream release there is the  
> CAcert eating
> its own dogfood like client certificate authenicated webmail
> https://community.cacert.org/roundcubemail-svn ;(currently in testing
> still -use at own risk). Is this something Google Apps is going to  
> do soon?
> Is it even important? Of course wiki and bugs are yet another  
> password based
> system. how important is it to market client certs as a good thing  
> and not to
> implement them.
>
> The lists test for sympa is going ok but I need to do a bit more  
> work to get
> client certifcate authentication testing going there. In someways I  
> lost
> interest because of the lack of people driving these requirements.   
> Is it
> even important?
>
> > but I've said that before  with limited success.
>
> hey Teus is still president.
>
> Iang mentioned judiciary discovery before and had the same limited  
> response.
> This is more important to the organsation than a email client  
> preference. Yes
> its hard to balance the two.
>
> > Other solutions to consider are Bcc'ing one or more central archive
> > mailboxes - a simple solution that would work with most workflows.
>
> If the risk it is trying to address is judical discovery do you  
> really think
> the "yes your honour, all our people bcc email this address for all
> correspondance" will be accepted by a court?
>
> Simple needs to be met within the contrains of business  
> requirements. After
> all, sysadmins don't dictate terms do they.
>
> --
> Daniel Black 
> (daniel AT cacert.org)
> Email Administrator
> _______________________________________________
> CAcert-sysadm mailing list
> CAcert-sysadm AT lists.cacert.org
> https://lists.cacert.org/cgi-bin/mailman/listinfo/cacert-sysadm

--
Kim Holburn
IT Network & Security Consultant
Ph: +39 06 855 4294  M: +39 3494957443
mailto:kim AT holburn.net
  aim://kimholburn
skype://kholburn - PGP Public Key on request

Democracy imposed from without is the severest form of tyranny.
                          -- Lloyd Biggle, Jr. Analog, Apr 1961