CAcert System Admins discussion list

[Dieter Hennig <dieter.hennig AT id.ethz.ch>]

Hi,


schrieb Ian G, Am 13.01.2010 14:38:
> On 13/01/2010 11:34, Philipp Guehring wrote:
>> Hi,
>>
>>>> Is this good/better/bad/ugly and why?
>>>
>>> I am using class3 certs. So just turning class 3 off just because of a
>>> senseless desire of some people is not an option imho.
>>
>> My suggestion is that we add some warning messages to the web-interface,
>> that tells the users about the problems with the class3 certificate and
>> discourages them to use it, (and to automatically use class1 instead of
>> class3) but to still allow class3 for those users that still need it.
>>
>> Is this acceptable for everyone?
> 
> 
> It sounds good to me.  Indeed, it is a perceptional response to a
> perceptional issue, or to put it in americanisms, it is a low hanging
> fruit.


Let us try that, maybe in the second step we following more Daniels idea
to take *this* class3 away (but not to revoke it), if we see, that this
is possible.


> However, I am waiting to see if the users concerned (the two
> universities) are really prepared to use the Class 1.


a.) We (ETH) are distributing only the Class-1 certificate to our
managed desktop systems and would suggest the students to install that
on private notebooks too. The same will be done by the UZH. This is a
time consuming process of several months.

b.) The  (new?) Class-3-certificate we would use like an airbag and send
it as an *intermediate* certificate by the html-servers. Today our
servers-administrators know how to use that. Here we can react fast.

Just in the moment, we (the so called "registration authority" is
getting CSR from the known admins) are signing only with the Class-1, as
Daniel suggested too.


Best Regards


Dieter

-- 
Dieter Hennig
Informatikdienste/Helpdesk
ETH Zuerich, STB G 18.2
8092 Zuerich, Stampfenbachstr. 69
Tel: +41 44 632 4278
Fax: +41 44 632 1900

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature