Skip to Content.
Sympa Menu

cacert-sysadm - Re: [Cacert-sysadm] Objections to a possible setup

cacert-sysadm AT lists.cacert.org

Subject: CAcert System Admins discussion list

List archive

Re: [Cacert-sysadm] Objections to a possible setup


Chronological Thread 
  • From: Mendel Mobach <extern AT leercoden.nl>
  • To: cacert-sysadm AT lists.cacert.org
  • Subject: Re: [Cacert-sysadm] Objections to a possible setup
  • Date: Thu, 26 Mar 2009 21:28:57 +0100


On Mar 26, 2009, at 9:20 PM, Ian G (Audit) wrote:

Hmm, I though there was something in SP about no passwords ... but I won't look now as it might destroy the thread of the conversation :)

Yeah but we need an infrastructure to enforce that policy. (and let's talk about it later)

( Security being of course very integrated with and dependent on the
application, without an application it is perfectly secure :)

remote root access.


OK, I'm not making myself clear. What I wanted to know is what *applications* are going on these machines, and whether these are *critical* or *infrastructure* .

Infrastructure. The critical apps like signing server, user database, frontend etc do have their own hardware with even more strict rules.

In particular, are we talking about the signing app, the critical user database, the frontend CA application or the other related critical parts living on a virtual server / host?

No they will keep their own hardware.

Or are you talking about the logging server, being separate from the above?

That's one. However the signing server doesn't speak IP. It won't be able to log (yet) to another server.

Or, does "remote root access" mean this is for the hop-server, the server where sysadms connect into before ssh-ing to the critical servers and/or the console access?

yes. That's what remote root access does mean in this case. For the webserver it's a bit different at the moment but that will change to comply with the SP.

Kind Regards,

Mendel Mobach





Archive powered by MHonArc 2.6.16.

Top of Page