cacert-sysadm AT lists.cacert.org
Subject: CAcert System Admins discussion list
List archive
- From: Daniel Black <daniel AT cacert.org>
- To: cacert-sysadm AT lists.cacert.org
- Subject: Re: two possible MD5 hashed certificates in a chain
- Date: Wed, 13 Jan 2010 20:03:36 +1100
- Authentication-results: lists.cacert.org; dkim=pass (1024-bit key) header.i= AT cacert.org; dkim-asp=none
- Organization: CAcert
On Wednesday 13 January 2010 07:46:19 Ian G wrote:
> On 12/01/2010 07:16, Daniel Black wrote:
> > 1. get policy group to ok us moving all issuing off this the current root
> > cert only.
>
> Policy group ... probably (?) follows the CPS, which may say less about
> the old roots. So, to an extent, if you are suggesting changes that are
> ex-audit and ex-CPS, policy group might not say much.
>
> On the other hand, there is the above point about change of claim, and
> also policy group may want to simply ban or deprecate any non-CPS roots.
we'll see soon.
> The reason for that would be cleanliness, which in more practical
> terms would eliminate gotchas when going to root list owners.
> They want to feel as though they have the documentation on everything, and
ex-CPS
> roots would be an unhappy exception.
we'll see soon.
> OK, so your point is probably well made, and they should be asked.
done.
>
> > 2. prepare software changes and documentation changes to account for this
>
> Getting software changes through is very difficult. If your plan
> involves software changes, then factor in a lead time of 3-12 months.
> If the changes are significant, forget it.
removing (commenting) a bunch of code that provides a class3 option shouldn't
be too hard.
> We still haven't got the CCA rollout patches done.
guessing this was harder.
> Documentation is easier, but even that can be slow.
> > Is this good/better/bad/ugly and why?
>
> To be honest, I cannot see the benefit.
previous email and numerous by Andreas Bürki in various lists and board
meetings.
> It looks like a hack,
or just a really simple solution to a class3 md5 perception/support problem.
> and will take someone a lot of work.
Dieter offered. Just needs some leadership here to accept the benefit.
> If I was them, I'd want to see an overall improvement, not a hack.
There was a comment saying that if the NewRoots are coming in some
foreseeable
timeframe then they'd wait.
--
Daniel Black
Infrastructure Administrator
CAcert
- Re: two possible MD5 hashed certificates in a chain, Daniel Black, 01/12/2010
- Re: two possible MD5 hashed certificates in a chain, Guillaume ROMAGNY, 01/12/2010
- Re: two possible MD5 hashed certificates in a chain, Ian G, 01/12/2010
- Re: two possible MD5 hashed certificates in a chain, Dieter Hennig, 01/12/2010
- Re: two possible MD5 hashed certificates in a chain, Ian G, 01/13/2010
- Re: two possible MD5 hashed certificates in a chain, Philipp Gühring, 01/13/2010
- Re: two possible MD5 hashed certificates in a chain, Andreas Bürki, 01/13/2010
- Re: two possible MD5 hashed certificates in a chain, Ian G, 01/13/2010
- Re: two possible MD5 hashed certificates in a chain, Andreas Bürki, 01/13/2010
- Re: two possible MD5 hashed certificates in a chain, Philipp Gühring, 01/13/2010
- Re: two possible MD5 hashed certificates in a chain, Ian G, 01/13/2010
- Re: two possible MD5 hashed certificates in a chain, Guillaume ROMAGNY - CAcert support, 01/12/2010
- Re: two possible MD5 hashed certificates in a chain, Daniel Black, 01/13/2010
- Re: two possible MD5 hashed certificates in a chain, Dieter Hennig, 01/12/2010
- Re: two possible MD5 hashed certificates in a chain, Mario Lipinski, 01/12/2010
- Re: two possible MD5 hashed certificates in a chain - dropping future class3 certificates (until NewRoots), Daniel Black, 01/13/2010
- Re: two possible MD5 hashed certificates in a chain - dropping future class3 certificates (until NewRoots), Mario Lipinski, 01/13/2010
- Re: two possible MD5 hashed certificates in a chain, Philipp Guehring, 01/13/2010
- Re: two possible MD5 hashed certificates in a chain, Ian G, 01/13/2010
- Re: two possible MD5 hashed certificates in a chain, Dieter Hennig, 01/13/2010
- Re: two possible MD5 hashed certificates in a chain, Ian G, 01/13/2010
- Re: two possible MD5 hashed certificates in a chain, Dieter Hennig, 01/13/2010
- Antwort: Re: two possible MD5 hashed certificates in a chain, roberto . mazzoni, 01/13/2010
- Re: Antwort: Re: two possible MD5 hashed certificates in a chain, Ian G, 01/13/2010
- Re: two possible MD5 hashed certificates in a chain, Dieter Hennig, 01/13/2010
- Re: two possible MD5 hashed certificates in a chain, Ian G, 01/13/2010
- Re: two possible MD5 hashed certificates in a chain, Dieter Hennig, 01/13/2010
- Re: two possible MD5 hashed certificates in a chain, Ian G, 01/13/2010
- Re: two possible MD5 hashed certificates in a chain - dropping future class3 certificates (until NewRoots), Daniel Black, 01/13/2010
Archive powered by MHonArc 2.6.16.