CAcert System Admins discussion list

[Ian G <iang AT iang.org>]

On 13/09/2009 13:10, Guillaume ROMAGNY wrote:

> > > http://bugs.cacert.org/view.php?id=775

> I have checked (too quickly?) the CPS
> http://svn.cacert.org/CAcert/policy.htm
> and CAcert website
> https://www.cacert.org/index.php?id=19


Hmmm... that page is annoying.  I wonder if we can just drop it.


> The overall is unclear because Orgs are not part of the audit.
>
> CPS says 6 months or better 24 month if user is assured
> CAcert website adds "Code signing certificates" is limited to 12 months.
>
> Organisations are basically assured so the lifetime should be 24 months
> (or 12 months for codesigning).
>
> unless Ian interprets the texts in a more formal way.


I think your interpretation is about right.  Without some special 
condition, the org certs should be "up to 24 months" as they are assured.

It's a CPS issue not an assurance issue I guess, so that saves is from 
having to worry about missing OA dox.

Audit probably doesn't care however if you can issue 24 months and only 
issue 12 months.  This is more a business issue than a reliance issue.

So it's a matter of just fixing it whenever.  There is also the issue of 
PGP signatures, which is also 12m instead of 24.

iang