CAcert System Admins discussion list

[Ian G <iang AT cacert.org>]

Hi Deiter

It feels like we are getting closer to a solution, but I want to be 
careful we are not just following a chimera here.


On 13/01/2010 15:44, Dieter Hennig wrote:
> Hi,
>
>
> schrieb Ian G, Am 13.01.2010 14:38:
> > On 13/01/2010 11:34, Philipp Guehring wrote:
> > > Hi,
> > >
> > > > > Is this good/better/bad/ugly and why?
> > > >
> > > > I am using class3 certs. So just turning class 3 off just because of a
> > > > senseless desire of some people is not an option imho.
> > >
> > > My suggestion is that we add some warning messages to the web-interface,
> > > that tells the users about the problems with the class3 certificate and
> > > discourages them to use it, (and to automatically use class1 instead of
> > > class3) but to still allow class3 for those users that still need it.
> > >
> > > Is this acceptable for everyone?
> >
> >
> > It sounds good to me.  Indeed, it is a perceptional response to a
> > perceptional issue, or to put it in americanisms, it is a low hanging
> > fruit.
>
>
> Let us try that, maybe in the second step we following more Daniels idea
> to take *this* class3 away (but not to revoke it), if we see, that this
> is possible.


Just to be absolutely clear:  Are you agreed that switching the default 
around from Class 3 to Class 1 solves your problem?

That's what Philipp proposed.

(Daniel's proposal -- dropping the Class 3 -- is an entirely more 
aggressive step.  See below.)


> > However, I am waiting to see if the users concerned (the two
> > universities) are really prepared to use the Class 1.
>
>
> a.) We (ETH) are distributing only the Class-1 certificate to our
> managed desktop systems and would suggest the students to install that
> on private notebooks too. The same will be done by the UZH. This is a
> time consuming process of several months.
>
> b.) The  (new?) Class-3-certificate we would use like an airbag and send
> it as an *intermediate* certificate by the html-servers. Today our
> servers-administrators know how to use that. Here we can react fast.


So the system administrators are in charge of the Class-3 question.  And 
you can react quickly here.

So if there is a need to instruct those sysadms to not use the Class 3, 
then you can do that?  Already?


> Just in the moment, we (the so called "registration authority" is
> getting CSR from the known admins) are signing only with the Class-1, as
> Daniel suggested too.


What advantage does dropping the Class 3 from CAcert's entire community 
then offer you that you don't already have?


iang

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature