CAcert System Admins discussion list

[Wytze van der Raay <wytze AT cacert.org>]

[directing follow-ups of this discussion tot cacert-sysadm rather than
 cacert-systemlog (which should be used for logging mainly)]

On 08/19/2009 12:26 AM, Philipp Guehring wrote:
>> ...
>> 2. The startup of the CommModule process should not be hacked into the
>>    Apache server startup script, but requires a proper startup script of
>>    its own, including precautions against multiple starts.
>>   
> Can anyone develop a proper startup script?

Yes, it's on my list of things to do. It's not hard, just needs som
close attention.

>> 3. The size of the CAcert CRLs should be monitored, and a drop in size
>>    should generate an immediate alert.
>   
> Hmm, just an alert, or a prevention of the update?

My thinking was an alert, but prevention of the update would possibly
be safer, except for:

> Well, seldomly, CRLs are being cleaned up. In those cases,
> update-prevention would be bad.

Is this actually possible? Does the current system ever shrink the CRL?
Or do you mean that it could be shrunk by a manual update? If so, when
would that happen?

> I am currently thinking, whether we should check the signature on the
> CRL, before we accept an updated CRL and continue distributing it.
> (instead of just checking the size)

Checking the signature sounds good to me. Something like:
  openssl crl -in revoke.crl -inform der -CAfile CAcert.crt -noout
?

Regards,
-- wytze

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature